<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 12/13/2011 07:46 AM, babu dheen wrote:
<blockquote
cite="mid:1323780392.81461.YahooMailClassic@web137304.mail.in.yahoo.com"
type="cite">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="font: inherit;" valign="top">
<div>Dear Anand,</div>
<div> </div>
<div>In what situation, DNS packet size can exceed more
than 512 bytes. In fact, my gateway DNS server should
not contact internal DNS server except internal domain
name resolution if any user access any internal website
through proxy. </div>
<div> </div>
<div>My proxy is using gateway DNS for name resolution. So
if any users access internal website through proxy,
proxy will send the name lookup to gateway DNS and
gateway DNS will forward the request to internal DNS
server.</div>
<div> </div>
<div>In this case, will the internal domain DNS query
exceed 512 bytes?</div>
<div> </div>
<div>Regards</div>
<div>papdheen M<br>
</div>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
Papdheen,<br>
<br>
The firewall is dropping the response packet, the gateway DNS
servers are not initiating the query. EDNS can be larger then 512
byte UDP, so it's most likely your internal DNS server is sending
the query with EDNS flag set, which triggers the gateway DNS server
to respond with a large UDP packet instead of a 512 byte one with
truncated flag set, which would then trigger the internal DNS server
to run the query again over tcp 53 to get the full response.<br>
<br>
With DNSSEC, responses are often over the old 512 byte limit. Most
current resolvers will use EDNS flag over UDP to avoid having to
duplicate the query over TCP when they get a truncated response over
UDP.<br>
<br>
So either remove the DNS payload size limit or raise it, update the
firewall to support EDNS detection in it's stateful inspection of
DNS, or configure your internal DNS resolver to explicitly not use
EDNS.<br>
<br>
Overview of EDNS:<br>
<a class="moz-txt-link-freetext" href="https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS">https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS</a><br>
<br>
<br>
<br>
-James Keller<br>
<br>
<blockquote
cite="mid:1323780392.81461.YahooMailClassic@web137304.mail.in.yahoo.com"
type="cite">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="font: inherit;" valign="top">
<div><br>
--- On <b>Tue, 13/12/11, Anand Buddhdev <i><a class="moz-txt-link-rfc2396E" href="mailto:anandb@ripe.net"><anandb@ripe.net></a></i></b>
wrote:<br>
</div>
<blockquote style="BORDER-LEFT: rgb(16,16,255) 2px solid;
PADDING-LEFT: 5px; MARGIN-LEFT: 5px"><br>
From: Anand Buddhdev <a class="moz-txt-link-rfc2396E" href="mailto:anandb@ripe.net"><anandb@ripe.net></a><br>
Subject: Re: Suspecious DNS queries dropped by Firewall<br>
To: "babu dheen" <a class="moz-txt-link-rfc2396E" href="mailto:babudheen@yahoo.co.in"><babudheen@yahoo.co.in></a><br>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
Date: Tuesday, 13 December, 2011, 5:39 PM<br>
<br>
<div class="plainMail">On 13/12/2011 13:04, babu dheen
wrote:<br>
<br>
> Hi,<br>
> <br>
> Our company users are using internal DNS servers
for name resolution<br>
> and internal DNS servers are configured to
forward the DNS query to<br>
> company gateway DNS servers for external queries<br>
> <br>
> User --> internal DNS server ---> gateway
DNS server ---> internet<br>
> <br>
> But when i look at the firewall hit , i can see
gateway DNS server is<br>
> again sending DNS query to internal DNS server
and the same is denied in<br>
> firewall with below error<br>
> <br>
> Dropped UDP DNS reply from
OUTSIDE:<gateway-dns-ip>/53 to<br>
> DMZ50:<internal-dns-ip>/63953; packet
length 526 bytes exceeds<br>
> configured limit of 512 bytes<br>
<br>
Your firewall is misconfigured. Who said DNS reply
packets cannot be<br>
bigger than 512 bytes? You need to reconfigure your
firewall, and remove<br>
that 512-byte limit for DNS queries and responses.<br>
</div>
</blockquote>
</td>
</tr>
</tbody>
</table>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<br>
</body>
</html>