Re: [fw-wiz] How does your firewall handle DNS messages > 512
Well, mine does cache/proxy so there is no packet size restriction
On Tue, Aug 29, 2006 at 03:13:34PM -0400, Dave Piscitello wrote:[color=blue]
> Hi all,
> I am trying to understand how different firewalls behave when they
> receive a UDP datagram containing a DNS message that uses EDNS0 (RFC
> 2671) to support message sizes greater than the 512 maximum specified in
> RFC 1035 (original DNS).
> - does your firewall block/silently discard such messages by default?
> - do you know the command to allow the message if blocked by default?
> I've found dozens of claims that firewalls don't handle EDNS0 correctly,
> but after a long search, I've only found URLs indicating that Firewall-1
> and Pix block by default and have workarounds.
> I'm curious whether SonicWall, Netscreen, Symantec, etc. behave
> similarly. I'd also be curious to learn the behavior of IPS devices and
> DNS proxies (Watchguard, WinProxy, etc).[/color]
firewall-wizards mailing list