disable dnssec in bind resolver

Warren Kumari warren at kumari.net
Tue Jun 8 14:48:06 UTC 2010 

On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote:

> Thanks @all, sorry i was out of office yesterday. I'll discuss the
> issue this week on the german Linux Tag in Berlin.
>
> What your meaning off firewalls, who looks into packets and block them
> if the filter don´t know a flag.

Some "high security" firewalls examine the actual payload of the  
packets and validate that the payload follows the spec (at least as  
they understand the spec). This sounds like a great win, because it  
allows you to make sure that folks aren't tunneling things over other  
ports, "protects" your backend from application level attacks (and  
attacks on the TCP stack and such) and allows NAT fixups for things  
like SIP -- this is often called an ALG (Application layer gateway),  
fixups or something similar. Unfortunately they almost always cause  
way way more issues than they solve, and cause really really  
interesting troubleshooting problems[0]. The firewall has to maintain  
a huge amount of state, the ALG is coded for a protocol at a specific  
point in time and so doesn't deal with extensions (like edns  
apparently :-P), etc.

W

[0]: My favorite instance of this was downloading an ISO of Ubuntu  
something or other. I downloaded the ISO and ran 'md5sum' to validate  
it -- validation failed so I deleted it and tried again. Validation  
fails again. Lather, rinse, repeat.
After a few tries (all over a 1.5mbps DLS line no less) I ended up  
copying it over SCP instead of HTTP. Validates fine....
I run 'diff' to see if I can figure out what the hell is going on.

I discover that (in two places in the file) the sequence 0x4772 0x26C7  
has mysteriously become 0xC0A8 0x002F. I spend a while poking at  
random things (for some reason I had decided it must be bad RAM on the  
RAID controller) and end up converting the bytes to decimal -- the  
correct one is 71 114 38 199 and then incorrect one is 192 168 0 47...  
Wait a minute, that last set of numbers looks *awfully* familiar...  
Yup, it's the address of my machine and the other address is the  
outside address of the firewall...
Suddenly I realize -- the firewall / NAT device is doing NAT "fixup"  
by blindly replacing the "outside" address with the "inside" address  
anywhere in the payload... Wheeeeee.....




>
> First i´ve fixed the problem with edns no;
>
> Jan
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
I had no shoes and wept.  Then I met a man who had no feet.  So I  
said, "Hey man, got any shoes you're not using?"

More information about the bind-users mailing list