| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200305082113.h48LDH1w005472@turing-police.cc.vt.edu> From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit On Thu, 08 May 2003 22:36:16 +0200, Mathias Gerber <mathias@...ergga.ch> said: > AFAIK the DNS uses TCP for larger replys. Back when the maximum usable MTU in the Arpanet was 584, the DNS protocol basically said "Send the query as UDP, if reply is over 512 bytes long server sends back 'too big', and retry the query as TCP". RFC2671 specifies an extension mechanism for DNS (EDNS0), and even if you don't use any other extensions provides a convenient way of saying "Use UDP if the packet is under 1280 (or 4K, or whatever you specify)". This allows the (hopeful) savings of a 3 packet handshake to set up a TCP session and another several packets at FIN time. However, just as with older firewalls that break RFC3168 ECN (explicit congestion notification) because they don't like the use of previously "reserved" bits in the TCP SYN packet, some gear doesn't like seeing the RFC2671-format DNS queries and drop them on the floor... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030508/868633ac/attachment.bin
Powered by blists - more mailing lists