Re: [dnsext] Firewall support for large DNS names (>255) and packets (>512)?
Florian Weimer <fweimer@bfk.de> Sun, 12 October 2008 15:59 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C0B7F3A69CF; Sun, 12 Oct 2008 08:59:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.75
X-Spam-Level:
X-Spam-Status: No, score=0.75 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pWt00NoyErIY; Sun, 12 Oct 2008 08:59:53 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 93B8E3A69B1; Sun, 12 Oct 2008 08:59:52 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Kp3FQ-000Frh-An for namedroppers-data@psg.com; Sun, 12 Oct 2008 15:52:48 +0000
Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <fweimer@bfk.de>) id 1Kp3FL-000FqQ-Fu for namedroppers@ops.ietf.org; Sun, 12 Oct 2008 15:52:45 +0000
Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) id 1Kp3F0-0000Od-Mw; Sun, 12 Oct 2008 17:52:22 +0200
Received: from fweimer by bfk.de with local id 1Kp3FA-00007u-MG; Sun, 12 Oct 2008 17:52:32 +0200
To: Matthew Dempsky <matthew@dempsky.org>
Cc: namedroppers@ops.ietf.org
Subject: Re: [dnsext] Firewall support for large DNS names (>255) and packets (>512)?
References: <d791b8790810101526g1d59939xf47ecfd0a0324d29@mail.gmail.com>
From: Florian Weimer <fweimer@bfk.de>
Date: Sun, 12 Oct 2008 17:52:32 +0200
In-Reply-To: <d791b8790810101526g1d59939xf47ecfd0a0324d29@mail.gmail.com> (Matthew Dempsky's message of "Fri, 10 Oct 2008 15:26:42 -0700")
Message-ID: <82hc7hbykf.fsf@mid.bfk.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
* Matthew Dempsky: > Is anyone aware of any common firewalls that reject DNS packets (or > all UDP packets to/from port 53) longer than 512 bytes or DNS packets > that contain domain names longer than 255 bytes? Seriously, use a different UDP port. As an added bonus, you don't have to use a separate IP address for the reverse proxy. -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Firewall support for large DNS names (>2… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… Nicholas Weaver
- Re: [dnsext] Firewall support for large DNS names… Mark Andrews
- Re: [dnsext] Firewall support for large DNS names… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… Kevin Darcy
- Re: [dnsext] Firewall support for large DNS names… bmanning
- Re: [dnsext] Firewall support for large DNS names… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… Kevin Darcy
- Re: [dnsext] Firewall support for large DNS names… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… bmanning
- Re: [dnsext] Firewall support for large DNS names… Paul Vixie
- Re: [dnsext] Firewall support for large DNS names… bmanning
- Re: [dnsext] Firewall support for large DNS names… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… Mark Andrews
- Re: [dnsext] Firewall support for large DNS names… bmanning
- Re: [dnsext] Firewall support for large DNS names… Paul Vixie
- Re: [dnsext] Firewall support for large DNS names… Paul Vixie
- Re: [dnsext] Firewall support for large DNS names… bmanning
- Re: [dnsext] Firewall support for large DNS names… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… Mark Andrews
- Re: [dnsext] Firewall support for large DNS names… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… Eric Rescorla
- Re: [dnsext] Firewall support for large DNS names… bmanning
- Re: [dnsext] Firewall support for large DNS names… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… Mark Andrews
- Re: [dnsext] Firewall support for large DNS names… Chris Thompson
- Re: [dnsext] Firewall support for large DNS names… bmanning
- Re: [dnsext] Firewall support for large DNS names… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… bmanning
- Re: [dnsext] Firewall support for large DNS names… Eric Rescorla
- Re: [dnsext] Firewall support for large DNS names… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… bmanning
- Re: [dnsext] Firewall support for large DNS names… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… bmanning
- Re: [dnsext] Firewall support for large DNS names… Matthew Dempsky
- Re: [dnsext] Firewall support for large DNS names… Eric Rescorla
- Re: [dnsext] Firewall support for large DNS names… bert hubert
- Re: [dnsext] Firewall support for large DNS names… Florian Weimer
- Re: [dnsext] Firewall support for large DNS names… Kevin Darcy
- Re: [dnsext] Firewall support for large DNS names… Olafur Gudmundsson