DNS and TCP
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Wed Oct 2 21:43:41 UTC 2002
>
> % I would like to provide them an example of where their blocking DNS
> % services using TCP may cause problems. Specific possibilities that I
> % can imagine would include:
> %
> % Large numbers of glue records (lots of NS records for the zone)
> % Large numbers of answers (multiple records, maybe MX records?)
> % Large answers (a large TXT record)
> %
> % Bill Larson (wllarso at swcp.com)
>
> signed zones.
> some SRV & NAPTR replies.
> things with CERTs.
>
> More interestingly, folks w/ EDNS0 capable systems will
> generate replies that trigger UDP fragmentation. The
> claim is that things like PIX will drop fragemented UDP
> datagrams. Is this true? Will other firewall/IDS systems
> do the same?
PIX drops responses > 512 whether they are fragmented or not.
>
> --bill
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list