[Courses] [Security] Firewall theory -- UDP

coldfire rolick571 at duq.edu
Fri Mar 15 17:21:04 EST 2002


> > Our firewall drops UDP. All of it. There is some complicated thing
> > to do with letting DNS queries work. It can be done, but I'd have
> > to go and investigate to find out how. For all I know, it was 
> > "ask person who runs nameserver to do TCP too".
> 
> 	Heh.  I'd actually love to know how that works.  I can't think
> of any way to get it done without either controlling and custom-hacking
> your external nameserver, or accepting some UDP.

UDP is undoubtedly the primary protocol for dns replies but there is a
limit as to how big the reply can be.  that limit is 512 bytes.  if the
reply is larger than 512 bytes, there's a flag in the DNS header which is
flagged (TC, "truncated") which means that the reply was larger than 512
bytes, but only the first 512 bytes were returned.  i'm not sure if the
512 byte limit includes the IP and UDP headers or if it only covers the
DNS message ... i can't remember exactly, but i think i recall reading
that this gives enough room for 8 answers .. don't quote me on that
though.

when a host recieves a DNS reply with the TC flag set, it typically sends
the request again using TCP.  i'm not sure, but i'd guess that ARP handles
all of the udp and tcp requests for this stuff.  at least it should ;P




More information about the Courses mailing list