[Courses] [Security] Firewall theory -- UDP
Raven, corporate courtesan
raven at oneeyedcrow.net
Mon Mar 18 13:37:59 EST 2002
Heya --
Quoth coldfire (Fri, Mar 15, 2002 at 04:21:04PM -0500):
> UDP is undoubtedly the primary protocol for dns replies but there is a
> limit as to how big the reply can be. that limit is 512 bytes. if the
> reply is larger than 512 bytes, there's a flag in the DNS header which is
> flagged (TC, "truncated") which means that the reply was larger than 512
> bytes, but only the first 512 bytes were returned. i'm not sure if the
> 512 byte limit includes the IP and UDP headers or if it only covers the
> DNS message ... i can't remember exactly, but i think i recall reading
> that this gives enough room for 8 answers .. don't quote me on that
> though.
It couldn't be that sort of "ask via UDP, get UDP reply with TC
set, ask via TCP" thing, though, because the firewall would drop the UDP
reply with TC set, and so the client would never know to connect via
TCP.
Alternatively, you could custom-code a DNS client program that
only requests via TCP. Since the firewall in question was done by
someone who's a decent programmer [grin], this is a distinct
possibility.
[resolves to go get the new "DNS and BIND" and see if that helps
explain things]
Having done some digging, I found some vague references to a
"virtual circuit" that can be established to a nameserver via TCP, but
no helpful details. I may have to go to the RFCs.
> when a host recieves a DNS reply with the TC flag set, it typically sends
> the request again using TCP. i'm not sure, but i'd guess that ARP handles
> all of the udp and tcp requests for this stuff. at least it should ;P
ARP should handle any IP-to-Ethernet address translations,
regardless of what sort of traffic the IP packet carries.
Cheers,
Raven
"Sed, sed, awk. Like duck, duck, goose. Sync, sync, halt. It's the
order of nature."
-- me, after too long a day at work
More information about the Courses
mailing list