NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] DNS Question


  • To: [email protected]
  • Subject: Re: [FW-1] DNS Question
  • From: Steve McNutt <[email protected]>
  • Date: Fri, 3 May 2002 10:50:00 -0400
  • Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
  • Sender: Mailing list for discussion of Firewall-1 <[email protected]>
  • Thread-index: AcHyIZFS6WZapZTkTFmctZ+GAZOy3wAjnETg
  • Thread-topic: [FW-1] DNS Question

Don is a sharp cookie.

Looks like the issue has been covered very well.  The only thing I have
to add is that O'Reilly's DNS and Bind should be required reading before
touching DNS.  If you admin a firewall and do not have this book, shame
on you.  Redeem yourself and go read it now :-).

(This will probably get wrapped. Sorry.)
http://www.amazon.com/exec/obidos/ASIN//qid=/sr=1-1/
ref=sr_1_1/-7830520


-s

-----Original Message-----
From: Don [mailto:[email protected]]
Sent: Thursday, May 02, 2002 12:40 PM
To: [email protected]
Subject: Re: [FW-1] DNS Question


> We allow DNS over UDP only and have not had any problems.
Since this only affects large queries, you would probably not notice the
failures. It is, however, wrong.

> Don, can you give us a reference/RFC for these large DNS requests over

> TCP?
RFC 1035.

http://www.faqs.org/rfcs/rfc1035.html

Section 4.2

> I find nothing
> about it, it is my understanding that only zone transfers use TCP.
This is a very common misconception. UDP is the standard transport, but
not the required one. You could perform every request with a TCP
connection, however a TCP connection is usually only used after a UDP
connection has failed to fit within the 512 byte window resulting in the
TC bit being set in the header.

-Don

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.