Re: Can't Resolve Certain internet DNS names
- From: "hamm3r" <hammer@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 12 Jul 2005 06:07:25 -0400
Thanks, Kevin! Again, your response is very much appreciated!
"Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx> wrote in message
news:%23FZm4HkhFHA.3936@xxxxxxxxxxxxxxxxxxxxxxx
> In news:TixAe.30157$SQ1.21616@xxxxxxxx,
> hamm3r <hammer@xxxxxxxxxxxxxxxxxxxxxxx> posted this:
>> This information pointed me to the resolution thank you!
>> Our firewall was already using 1500 MTU, but the Checkpoint
>> SmartDefense rule was blocking it as though it was an illegal, non
>> RFC compliant packet.
>>
>> Why are some websites using non-RFC compliant packets for DNS?
>
> It is not websites it is your DNS server and it is RFC compliant. Some
> queries do not fit into one UDP packet, it has always been that way. EDNS
> is
> new to Win2k3 and later versions of BIND, before EDNS was introduced DNS
> had
> to retry the query using TCP. The reason the query failed is because the
> DNS
> server on the other end used EDNS to respond and the packet was blocked at
> your firewall and the DNS server refused to make the query again.
> This happens a lot with Cname and MX records because many just won't fit
> into one UDP packet and will be trucated if even a few bytes of a DNS
> query
> are missing, the packet is considered corrupt.
>
>> Am I jepordizing our network by allowing such packets?
>
> No, so long as other rules are in place to regognize non-DNS UDP packets.
>
>
>> Here is a description of the rule I had to turn off to resolve this
>> problem:
>>
>> "SmartDefense is able to recognize an illegal DNS packet. This ability
>> enables SmartDefense to catch potentially harmful packets before they
>> enter the network.
>>
>> SmartDefense enables a system administrator to enforce TCP and UDP
>> protocols. Only legal DNS packets sent over TCP or UDP will be able
>> to enter the network. In this case, all DNS port connections over UDP
>> and TCP will be monitored to verify that every DNS packet attempting
>> to enter the network is legal (that is, RFC compliant)."
>
> This is an old rule, UDP packets over 512 bytes for DNS queries are RFC
> compliant now.
>
>
>
>
> --?
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
.
- References:
- Can't Resolve Certain internet DNS names
- From: hamm3r
- Re: Can't Resolve Certain internet DNS names
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: Can't Resolve Certain internet DNS names
- From: hamm3r
- Re: Can't Resolve Certain internet DNS names
- From: Kevin D. Goodknecht Sr. [MVP]
- Can't Resolve Certain internet DNS names
- Prev by Date: Re: DNS lookup error at root domain
- Next by Date: Re: Can't Resolve Certain internet DNS names
- Previous by thread: Re: Can't Resolve Certain internet DNS names
- Next by thread: AD Integrated DNS and Zone Transfers
- Index(es):
Relevant Pages
|
