DNS header length question

My CISCO PIX firewall's default setting includes this:
fixup protocol dns maximum-length 512, which I've increased to 530 to accomodate a URL that I couldn't reach due to this error:
Dropped UDP DNS reply from outside:1.2.3.4/53 to inside:5.6.7.8/79; packet length 520 bytes exceeds configured limit of 512 bytes.
I still get this kind of error, and occasionally I lose DNS resolution altogether, even though comms are still up (I get ICMP replies from external IPs). I could remove the maximum-length entry or increase it until the error goes away, but I'd prefer to know what the standard is.  My ISP uses Microsoft, and I'm hosting DNS servers on Linux systems.  Are there different standards for DNS header length for MS and Unix/Linux servers, and what is the risk of increasing the DNS maximum length above 512 on the PIX?


klukacAsked:
Who is Participating?
 
giltjrConnect With a Mentor Commented:
MS and Unix/Linux don't matter.   What matters is the length of the FDQN and either how many IP addresses may be defined for that host, or the length of the host if this is a CNAME instead of a A.

I beleive we have ours coded at 1024 and I have never looked to see what the RFC may say.
0
 
ravenplConnect With a Mentor Commented:
RFC says that in case of UDP dns packet is to grow over 512 bytes, that TCP should be used.
Unfortunatelly not all resovers/servers care about it.
pump it to 1024 as giltjr suggested.
0
 
klukacAuthor Commented:
Sorry for my delay, was out this past week...corrected to 1024 bytes - and now I have a general idea why :)
0
All Courses

From novice to tech pro — start learning today.