Re: Can't Resolve Certain internet DNS names
- From: "Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx>
- Date: Mon, 11 Jul 2005 12:57:12 -0500
In news:TixAe.30157$SQ1.21616@xxxxxxxx,
hamm3r <hammer@xxxxxxxxxxxxxxxxxxxxxxx> posted this:
> This information pointed me to the resolution thank you!
> Our firewall was already using 1500 MTU, but the Checkpoint
> SmartDefense rule was blocking it as though it was an illegal, non
> RFC compliant packet.
>
> Why are some websites using non-RFC compliant packets for DNS?
It is not websites it is your DNS server and it is RFC compliant. Some
queries do not fit into one UDP packet, it has always been that way. EDNS is
new to Win2k3 and later versions of BIND, before EDNS was introduced DNS had
to retry the query using TCP. The reason the query failed is because the DNS
server on the other end used EDNS to respond and the packet was blocked at
your firewall and the DNS server refused to make the query again.
This happens a lot with Cname and MX records because many just won't fit
into one UDP packet and will be trucated if even a few bytes of a DNS query
are missing, the packet is considered corrupt.
> Am I jepordizing our network by allowing such packets?
No, so long as other rules are in place to regognize non-DNS UDP packets.
> Here is a description of the rule I had to turn off to resolve this
> problem:
>
> "SmartDefense is able to recognize an illegal DNS packet. This ability
> enables SmartDefense to catch potentially harmful packets before they
> enter the network.
>
> SmartDefense enables a system administrator to enforce TCP and UDP
> protocols. Only legal DNS packets sent over TCP or UDP will be able
> to enter the network. In this case, all DNS port connections over UDP
> and TCP will be monitored to verify that every DNS packet attempting
> to enter the network is legal (that is, RFC compliant)."
This is an old rule, UDP packets over 512 bytes for DNS queries are RFC
compliant now.
--?
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
.
- Follow-Ups:
- Re: Can't Resolve Certain internet DNS names
- From: hamm3r
- Re: Can't Resolve Certain internet DNS names
- From: Ace Fekay [MVP]
- Re: Can't Resolve Certain internet DNS names
- References:
- Can't Resolve Certain internet DNS names
- From: hamm3r
- Re: Can't Resolve Certain internet DNS names
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: Can't Resolve Certain internet DNS names
- From: hamm3r
- Can't Resolve Certain internet DNS names
- Prev by Date: Re: DNS Round Robin and 11005 Connection Timeouts
- Next by Date: Re: failover web site
- Previous by thread: Re: Can't Resolve Certain internet DNS names
- Next by thread: Re: Can't Resolve Certain internet DNS names
- Index(es):
Relevant Pages
|
