lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <sjmznlx86ev.fsf@kikki.mit.edu>
From: derek at ihtfp.com (Derek Atkins)
Subject: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit

Mathias Gerber <mathias@...ergga.ch> writes:

> Hello hggdh,
> On Thu, 8 May 2003 12:09:22 -0500 you wrote:
> > FYI. Any ideas?
> > > We are running the latest version (6.3.1) on our Cisco PIX and it
> > > appears that there is hard limit of 512 bytes on ANY UDP packets
> > > arriving on port 53.  Everything exceeding that is dropped.
>
> AFAIK the DNS uses TCP for larger replys.

Yea, but resolvers normally use a response with the TC-bit set in
order to signal the fact that the response was truncated and TCP
should be used!  If the UDP response is dropped, then a resolver will
never see the response and never fall back to TCP.  It will timeout
and fail instead.

Also, it's possible to negotiate larger-than-512-byte UDP packets.
For example with EDNS(0) you can use larger UDP packets.  Just
dropping larger packets is a PIX bug and can cause a DNS black-hole.

> mathias

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@...fp.com             www.ihtfp.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ