Re: Suspecious DNS queries dropped by Firewall
In this case, do you think that internal users trying to send emails directly to internet? Email delivery is taken care by Email Gateway device, obviously, DKIM verification (if enabled) can only be done by Email gateway of my company... How does internal client make DKIM query which uses the TXT record in DNS ? Can you tell me list of URL which size exceed 514 bytes to verify whether my internal server truncate/return failure code when query such URL using UDP query? Regards Babu --- On Tue, 13/12/11, SM s...@resistor.net wrote: From: SM s...@resistor.net Subject: Re: Suspecious DNS queries dropped by Firewall To: bind-users@lists.isc.org Date: Tuesday, 13 December, 2011, 9:12 PM At 04:46 13-12-2011, babu dheen wrote: In what situation, DNS packet size can exceed more than 512 bytes. In fact, my gateway DNS TXT records used for DKIM, for example. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
Hi there, On Wed, 14 Dec 2011 babu dheen wrote: Can you tell me list of URL which size exceed 514 bytes to verify whether my internal server truncate/return failure code when query such URL using UDP query? You really ought to be able to do this for yourself. Find any domain using DNSSEC and for example dig -t any domain -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
On 14.12.11 17:21, babu dheen wrote: In this case, do you think that internal users trying to send emails directly to internet? Maybe, maybe not. DNS queries can come from many other applications. Email delivery is taken care by Email Gateway device, obviously, DKIM verification (if enabled) can only be done by Email gateway of my company... How does internal client make DKIM query which uses the TXT record in DNS ? The client simply sends dns query that results in bigger response than 512 bytes. The client only must set EDNS flag in outgoing Can you tell me list of URL which size exceed 514 bytes to verify whether my internal server truncate/return failure code when query such URL using UDP query? We can not. There are millions of DNS zones and millions of responses that can cross the 512B limit. simply fix your firewall and stop dropping DNS packets bigger than 512 bytes. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
At 03:51 14-12-2011, babu dheen wrote: In this case, do you think that internal users trying to send emails directly to internet? No. Email delivery is taken care by Email Gateway device, obviously, DKIM verification (if enabled) can only be done by Email gateway of my company... How does internal client make DKIM query which uses the TXT record in DNS ? The internal client (MUA) does not make such queries. Can you tell me list of URL which size exceed 514 bytes to verify whether my internal server truncate/return failure code when query such URL using UDP query? See http://netalyzr.icsi.berkeley.edu/ Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
On Wed, Dec 14, 2011 at 3:51 AM, babu dheen babudh...@yahoo.co.in wrote: In this case, do you think that internal users trying to send emails directly to internet? Email delivery is taken care by Email Gateway device, obviously, DKIM verification (if enabled) can only be done by Email gateway of my company... How does internal client make DKIM query which uses the TXT record in DNS ? Can you tell me list of URL which size exceed 514 bytes to verify whether my internal server truncate/return failure code when query such URL using UDP query? Babu, You are missing the point. DKIM records were only provided as an example of responses that will exceed 512 bytes. Any query might get such a response. There is no way of knowing exactly how much data will be returned with modern DNS servers, especially with DNSSEC. But, even a simple address query might return over 512 bytes of data. The removal of the 512 byte limit on DNS packets is well over a decade old and dancing around it is a losing proposition. You must either fix your firewall (the right solution) or set your servers to NOT set the EDNS flag (a work-around that will probably continue to be fragile). -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Suspecious DNS queries dropped by Firewall
Hi, Our company users are using internal DNS servers for name resolution and internal DNS servers are configured to forward the DNS query to company gateway DNS servers for external queries User -- internal DNS server --- gateway DNS server --- internet But when i look at the firewall hit , i can see gateway DNS server is again sending DNS query to internal DNS server and the same is denied in firewall with below error Dropped UDP DNS reply from OUTSIDE:gateway-dns-ip/53 to DMZ50:internal-dns-ip/63953; packet length 526 bytes exceeds configured limit of 512 bytes Any idea? Regards Papdheen M ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
On 13/12/2011 13:04, babu dheen wrote: Hi, Our company users are using internal DNS servers for name resolution and internal DNS servers are configured to forward the DNS query to company gateway DNS servers for external queries User -- internal DNS server --- gateway DNS server --- internet But when i look at the firewall hit , i can see gateway DNS server is again sending DNS query to internal DNS server and the same is denied in firewall with below error Dropped UDP DNS reply from OUTSIDE:gateway-dns-ip/53 to DMZ50:internal-dns-ip/63953; packet length 526 bytes exceeds configured limit of 512 bytes Your firewall is misconfigured. Who said DNS reply packets cannot be bigger than 512 bytes? You need to reconfigure your firewall, and remove that 512-byte limit for DNS queries and responses. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
Dear Anand, In what situation, DNS packet size can exceed more than 512 bytes. In fact, my gateway DNS server should not contact internal DNS server except internal domain name resolution if any user access any internal website through proxy. My proxy is using gateway DNS for name resolution. So if any users access internal website through proxy, proxy will send the name lookup to gateway DNS and gateway DNS will forward the request to internal DNS server. In this case, will the internal domain DNS query exceed 512 bytes? Regards papdheen M --- On Tue, 13/12/11, Anand Buddhdev ana...@ripe.net wrote: From: Anand Buddhdev ana...@ripe.net Subject: Re: Suspecious DNS queries dropped by Firewall To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Tuesday, 13 December, 2011, 5:39 PM On 13/12/2011 13:04, babu dheen wrote: Hi, Our company users are using internal DNS servers for name resolution and internal DNS servers are configured to forward the DNS query to company gateway DNS servers for external queries User -- internal DNS server --- gateway DNS server --- internet But when i look at the firewall hit , i can see gateway DNS server is again sending DNS query to internal DNS server and the same is denied in firewall with below error Dropped UDP DNS reply from OUTSIDE:gateway-dns-ip/53 to DMZ50:internal-dns-ip/63953; packet length 526 bytes exceeds configured limit of 512 bytes Your firewall is misconfigured. Who said DNS reply packets cannot be bigger than 512 bytes? You need to reconfigure your firewall, and remove that 512-byte limit for DNS queries and responses. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
On 13/12/11 12:46, babu dheen wrote: Dear Anand, In what situation, DNS packet size can exceed more than 512 bytes. In This has been discussed many times in the list and elsewhere. There's no need to re-iterate it again. DNS packets 512 bytes are legal. You should permit them. In this case, will the internal domain DNS query exceed 512 bytes? Regards If you block DNS requests 512 bytes, you are breaking your own network. It is incorrect to do this. Fix your firewall. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
On 12/13/2011 07:46 AM, babu dheen wrote: Dear Anand, In what situation, DNS packet size can exceed more than 512 bytes. In fact, my gateway DNS server should not contact internal DNS server except internal domain name resolution if any user access any internal website through proxy. My proxy is using gateway DNS for name resolution. So if any users access internal website through proxy, proxy will send the name lookup to gateway DNS and gateway DNS will forward the request to internal DNS server. In this case, will the internal domain DNS query exceed 512 bytes? Regards papdheen M Papdheen, The firewall is dropping the response packet, the gateway DNS servers are not initiating the query. EDNS can be larger then 512 byte UDP, so it's most likely your internal DNS server is sending the query with EDNS flag set, which triggers the gateway DNS server to respond with a large UDP packet instead of a 512 byte one with truncated flag set, which would then trigger the internal DNS server to run the query again over tcp 53 to get the full response. With DNSSEC, responses are often over the old 512 byte limit. Most current resolvers will use EDNS flag over UDP to avoid having to duplicate the query over TCP when they get a truncated response over UDP. So either remove the DNS payload size limit or raise it, update the firewall to support EDNS detection in it's stateful inspection of DNS, or configure your internal DNS resolver to explicitly not use EDNS. Overview of EDNS: https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS -James Keller --- On *Tue, 13/12/11, Anand Buddhdev /ana...@ripe.net/* wrote: From: Anand Buddhdev ana...@ripe.net Subject: Re: Suspecious DNS queries dropped by Firewall To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Tuesday, 13 December, 2011, 5:39 PM On 13/12/2011 13:04, babu dheen wrote: Hi, Our company users are using internal DNS servers for name resolution and internal DNS servers are configured to forward the DNS query to company gateway DNS servers for external queries User -- internal DNS server --- gateway DNS server --- internet But when i look at the firewall hit , i can see gateway DNS server is again sending DNS query to internal DNS server and the same is denied in firewall with below error Dropped UDP DNS reply from OUTSIDE:gateway-dns-ip/53 to DMZ50:internal-dns-ip/63953; packet length 526 bytes exceeds configured limit of 512 bytes Your firewall is misconfigured. Who said DNS reply packets cannot be bigger than 512 bytes? You need to reconfigure your firewall, and remove that 512-byte limit for DNS queries and responses. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
At 04:46 13-12-2011, babu dheen wrote: In what situation, DNS packet size can exceed more than 512 bytes. In fact, my gateway DNS TXT records used for DKIM, for example. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users