Solved

DNS header length question

Posted on 2006-06-08
3
500 Views
Last Modified: 2008-01-09
My CISCO PIX firewall's default setting includes this:
fixup protocol dns maximum-length 512, which I've increased to 530 to accomodate a URL that I couldn't reach due to this error:
Dropped UDP DNS reply from outside:1.2.3.4/53 to inside:5.6.7.8/79; packet length 520 bytes exceeds configured limit of 512 bytes.
I still get this kind of error, and occasionally I lose DNS resolution altogether, even though comms are still up (I get ICMP replies from external IPs). I could remove the maximum-length entry or increase it until the error goes away, but I'd prefer to know what the standard is.  My ISP uses Microsoft, and I'm hosting DNS servers on Linux systems.  Are there different standards for DNS header length for MS and Unix/Linux servers, and what is the risk of increasing the DNS maximum length above 512 on the PIX?


0
Comment
Question by:klukac
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 300 total points
ID: 16867191
MS and Unix/Linux don't matter.   What matters is the length of the FDQN and either how many IP addresses may be defined for that host, or the length of the host if this is a CNAME instead of a A.

I beleive we have ours coded at 1024 and I have never looked to see what the RFC may say.
0
 
LVL 43

Assisted Solution

by:ravenpl
ravenpl earned 200 total points
ID: 16867992
RFC says that in case of UDP dns packet is to grow over 512 bytes, that TCP should be used.
Unfortunatelly not all resovers/servers care about it.
pump it to 1024 as giltjr suggested.
0
 

Author Comment

by:klukac
ID: 16924370
Sorry for my delay, was out this past week...corrected to 1024 bytes - and now I have a general idea why :)
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question