512 byte limit

[Todd Snyder]

Good day,

I am stuggling to get my head around the 512 byte limit with regards to
DNS queries/responses.  I am sure there is much in the RTFM category,
and I will continue to RTFM, but I wanted to ask a couple of specific
questions.

1) If a reply is over 512 bytes, which can't in theory be done via UDP,
should the queried server reply telling my resolver to ask again using
TCP?  Assuming, as one normally should, that there are firewalls, the
queried server can't simply reply TCP, as it would get blocked.

2) Further to above, are responses over 512 bytes permissable using UDP?
We are seeing some firewall messages indicating that one of our FW's is
getting DNS respones at 600ish btyes:

2009 Jan 21 14:03:02 -- %FWSM: Dropped UDP DNS reply from xxxxxxxx/53 to
yyyyyyy/2114; packet length 660 bytes exceeds configured limit of 512
bytes

I was under the (likely mistaken) impression that over 512 wasn't
allowed, but there it is ...

I could very well be completely messed up regarding the rules, so please
forgive my ignorance.  If you know my answer is in TFM, please batter me
about the head and tell me which FM at least :)

Cheers,

Todd.


---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.