[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: Re: Suspecious DNS queries dropped by Firewall
From: Kevin Oberman <kob6558 () gmail ! com>
Date: 2011-12-14 20:45:14
Message-ID: CAN6yY1sJP8yg4mJXM2HkTiD81_zBQJ5ic5t00G5wGfEUp6KXYQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Wed, Dec 14, 2011 at 3:51 AM, babu dheen <babudheen@yahoo.co.in> wrote:
> In this case, do you think that internal users trying to send emails
> directly to internet?
>
> Email delivery is taken care by Email Gateway device, obviously, DKIM
> verification (if enabled) can only be done by Email gateway of my
> company... How does internal client make DKIM query which uses the TXT
> record in DNS ?
>
> Can you tell me list of URL which size exceed 514 bytes to verify whether
> my internal server truncate/return failure code when query such URL using
> UDP query?
>
>
Babu,
You are missing the point. DKIM records were only provided as an example of
responses that will exceed 512 bytes. Any query might get such a response.
There is no way of knowing exactly how much data will be returned with
modern DNS servers, especially with DNSSEC. But, even a simple address
query might return over 512 bytes of data.
The removal of the 512 byte limit on DNS packets is well over a decade old
and dancing around it is a losing proposition. You must either fix your
firewall (the right solution) or set your servers to NOT set the EDNS flag
(a work-around that will probably continue to be fragile).
--
R. Kevin Oberman, Network Engineer
E-mail: kob6558@gmail.com
[Attachment #5 (text/html)]
On Wed, Dec 14, 2011 at 3:51 AM, babu dheen <span dir="ltr"><<a \
href="mailto:babudheen@yahoo.co.in">babudheen@yahoo.co.in</a>></span> \
wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 \
0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <table border="0" \
cellpadding="0" cellspacing="0"><tbody><tr><td style="font:inherit" \
valign="top"><div>In this case, do you think that internal users trying to send \
emails directly to internet? </div> <div> </div>
<div>Email delivery is taken care by Email Gateway device, obviously, DKIM \
verification (if enabled) can only be done by Email gateway of my company... How does \
internal client make DKIM query which uses the TXT record in DNS ?</div>
<div> </div>
<div>Can you tell me list of URL which size exceed 514 bytes to verify whether my \
internal server truncate/return failure code when query such URL using UDP \
query?</div> <div> </div>
</td></tr></tbody></table></blockquote><div><br>Babu,<br><br>You are missing the \
point. DKIM records were only provided as an example of responses that will exceed \
512 bytes. Any query might get such a response. There is no way of knowing exactly \
how much data will be returned with modern DNS servers, especially with DNSSEC. But, \
even a simple address query might return over 512 bytes of data. <br> <br>The removal \
of the 512 byte limit on DNS packets is well over a decade old and dancing around it \
is a losing proposition. You must either fix your firewall (the right solution) or \
set your servers to NOT set the EDNS flag (a work-around that will probably continue \
to be fragile).<br> </div></div>-- <br>R. Kevin Oberman, Network Engineer<br>E-mail: \
<a href="mailto:kob6558@gmail.com" target="_blank">kob6558@gmail.com</a><br><br><br>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic