Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] DNS Question

To: [email protected]
Subject: Re: [FW-1] DNS Question
From: Doug Maxwell <[email protected]>
Date: Thu, 2 May 2002 12:52:44 -0400
In-reply-to: <7E7BCDD96660D211BA480000F8E78A650505D7D7@pmare_exchange.pmare.com>
References: <7E7BCDD96660D211BA480000F8E78A650505D7D7@pmare_exchange.pmare.com>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

On Thu, 2002-05-02 at 10:05, Martin, Jeffrey wrote:
> We allow DNS over UDP only and have not had any problems. Don, can you give
> us a reference/RFC for these large DNS requests over TCP? I find nothing
> about it, it is my understanding that only zone transfers use TCP.
I guess my last post didn't make it. See Stevens v. 1 p. 206 for details
on this. Essentially, queries that result in responses over 512 bytes
are re-sent using TCP.

Doug

>
> -----Original Message-----
> From: Don [mailto:[email protected]]
> Sent: Thursday, May 02, 2002 8:08 AM
> To: [email protected]
> Subject: Re: [FW-1] DNS Question
>
>
> > 53-TCP is used for zone transfer should be secured 53-UDP can be open to
> > all. TIP.
> This is not correct. Please read my post below.
>
> -Don
>
> > >>>After all the IPSO upgrades and service pack upgrades for our
> > >>>Nokia/Checkpoint 4.1 SP5a solution, we started seeing some random
> > >>>results with our DNS servers.  Sometimes, it would fail on the first
> > >>>lookup - but after that it would be ok... my question is simple... for
> > >>>the last several years we've had the simple 2 rules for our DNS
> Servers:
> > >>>
> > >>>1.    Any (Source)    DNSServers(Destination)    DNS-53(Port)
> > >>>2.     DNSServers (Source)    Any (Source)    DNS-53 (port)
> > >>>
> > >>>The question is simple...are we missing something obvious???  Our DNS
> > >>>servers are Windows 2000.
> > >>>
> > >>When you say DNS-53, do you mean UDP or TCP? You need to allow both in
> > >>order for DNS to function properly. Most DNS requests use UDP port 53,
> > >>however larger requests use TCP port 53. It may be these larger requests
> > >>that are failing.
> > >>
> > >>-Don
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
--
Doug Maxwell <[email protected]>
Senior Network Security Engineer, CCSI
Integralis-US
Phone:Fax:Please note that:

1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this
   confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate
   or in any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business
   practices.
3. The contents of this email are those of the individual and do not necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is sent.

Integralis Ltd.
Theale House, Brunel Road
Theale, Reading RG7 4 AQ, UK
Tel:Fax:=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- Re: [FW-1] DNS Question
  - From: "Martin, Jeffrey" <[email protected]>

Prev by Date: Re: [FW-1] Nokia & ISP Load Balance
Next by Date: Re: [FW-1] DNS Question
Previous by thread: Re: [FW-1] DNS Question
Next by thread: Re: [FW-1] DNS Question
Index(es):
- Date
- Thread