Re: packet too big

Michael Varre <bind9@kishmish.com> wrote:


>> -----Original Message-----
>> From: Danny Mayer [mailto:mayer@gis.net]
>> Sent: Friday, July 09, 2004 11:27 AM
>> To: Michael Varre; bind-users@isc.org
>> Subject: RE: packet too big
>>
>> At 11:08 AM 7/9/2004, Michael Varre wrote:
>> >Yes, they are being blocked because they are larger than 512 bytes - I
>> just
>> >don't understand why they are that large. Seems there should be a better
>> >explanation than just allowing larger packets through via a fixup.
>>
>> Because EDNS0 allows for packets larger than 512 and akamai will turn a
> I'm sorry but I'm not familiar with EDNS0 (extended dns?). Is this normal
> and is it commonplace for a small pix such as mine to have to extend
> allowable size to 1024? Is this something that is just starting to popup?
> Doesn't seem like it would be a standard thing set on a firewall such as a
> pix if it were so commonplace.

The problem is that cisco tries to decode DNS packets and fails. They would be better
off treating dns packets as any other packets and have the user set up
a real dns-server as "proxy" if they want.

( with "proxy" i mean a nameserver started inside fw, clients asking that
nameserver who in it's turn might go out for answers)

>> large list which
>> won't fit into 512 bytes. Unless you prefer to use TCP for DNS data.

> I wasn't aware that was an option.
It's not an option, it's part of the protocol spec.

>>
>> Danny
>>
>> >mv





--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.