Duncan's techie blog: Cisco firewall dns packet size setting

I recently noticed that our cisco firewalls were denying dns packets being returned which are greater than 512 bytes in size.

On investigation this is the default setting on Cisco PIX and ASA firewalls and used to be correct as per the RFC for udp dns packet sizes. Over this size TCP packets used to be used. Due to the overhead of using TCP and various security issues it appears eDNS was invented to allow larger UDP packet sizes.

From what I can determine there is a flag passed when a dns server requests a lookup indicating whether it accepts Edns and its maximum packet size. If your firewall is configured to a different value there will clearly be issues as it will deny the valid packet that is returned.

BIND appears to cope with this situation by reverting back to a packet size of 512 if the initial query fails. I've not found out what Windows does if this happens but you would hope it does the same.

A bit of research shows this feature was implemented in Windows 2003 with a default edns packet size limit of 1280 and in Bind 9 with a default packet size of 4096.

So if you are using these dns servers you may want to adjust your firewall settings accordingly or research what your dns server does and what its default value is.

BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It also sets DO EDNS flag bit in queries to indicate that it wishes to receive DNSSEC responses. Most older servers that do not support EDNS0, including prior versions of BIND, will send a FORMERR or NOTIMP response to these queries. When this happens, BIND 9 will automatically retry the query withoutEDNS0.

You can configure both dns servers not to use edns and you can configure the maximum packet size but I guess the easiest option is to configure your firewall correctly.

Duncan's techie blog

Thursday 29 November 2007

Cisco firewall dns packet size setting

No comments:

Blog Archive

About Me