Re: Netscreen: Lots of extraneous "denied" packets in log
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: Netscreen: Lots of extraneous "denied" packets in log

From: Moe Trin <ibuprofin@painkiller.example.tld>
Date: Sat Feb 25 2006 - 21:16:15 CET



On Sat, 25 Feb 2006, in the Usenet newsgroup comp.security.firewalls, in article


<46alepFa5v52U1@news.dfncis.de>, Sebastian Gottschalk wrote:



>A well-known problem with the same effect is that people and some


>implementations don't assume the answer to be sent with TCP instead of


>UDP (if the answer doesn#t fit into a single UDP packet).



Can you show a packet dump of such behaviour?     Maybe you want to


re-read RFC1035 and 1035 again.



  1034 Domain names - concepts and facilities. P.V. Mockapetris.


       Nov-01-1987. (Format: TXT=129180 bytes) (Obsoletes RFC0973, RFC0882,


       RFC0883) (Updated by RFC1101, RFC1183, RFC1348, RFC1876, RFC1982,


       RFC2065, RFC2181, RFC2308, RFC2535, RFC4033, RFC4034, RFC4035) (Also


       STD0013) (Status: STANDARD)



  1035 Domain names - implementation and specification. P.V.


       Mockapetris. Nov-01-1987. (Format: TXT=125626 bytes) (Obsoletes


       RFC0973, RFC0882, RFC0883) (Updated by RFC1101, RFC1183, RFC1348,


       RFC1876, RFC1982, RFC1995, RFC1996, RFC2065, RFC2136, RFC2181,


       RFC2137, RFC2308, RFC2535, RFC2845, RFC3425, RFC3658, RFC4033,


       RFC4034, RFC4035) (Also STD0013) (Status: STANDARD)



DNS servers do not spontaneously reply using TCP to a UDP request. If the


UDP request results in a reply to large, the TC flag is set in the reply,


and the querying station may elect to repeat the request using TCP. ONLY


THEN will there be a TCP packet exchange. See section 4.2 of RFC1035.



        Old guy


Received on Mon May  1 00:52:55 2006