Re: Netscreen: Lots of extraneous "denied" packets in log

"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
news:slrne01eod.nq1.ibuprofin@compton.phx.az.us...
> On Sat, 25 Feb 2006, in the Usenet newsgroup comp.security.firewalls, in
> article
> <46alepFa5v52U1@news.dfncis.de>, Sebastian Gottschalk wrote:
>
>>A well-known problem with the same effect is that people and some
>>implementations don't assume the answer to be sent with TCP instead of
>>UDP (if the answer doesn#t fit into a single UDP packet).
>
> Can you show a packet dump of such behaviour? Maybe you want to
> re-read RFC1035 and 1035 again.
>
> 1034 Domain names - concepts and facilities. P.V. Mockapetris.
> Nov-01-1987. (Format: TXT=129180 bytes) (Obsoletes RFC0973, RFC0882,
> RFC0883) (Updated by RFC1101, RFC1183, RFC1348, RFC1876, RFC1982,
> RFC2065, RFC2181, RFC2308, RFC2535, RFC4033, RFC4034, RFC4035) (Also
> STD0013) (Status: STANDARD)
>
> 1035 Domain names - implementation and specification. P.V.
> Mockapetris. Nov-01-1987. (Format: TXT=125626 bytes) (Obsoletes
> RFC0973, RFC0882, RFC0883) (Updated by RFC1101, RFC1183, RFC1348,
> RFC1876, RFC1982, RFC1995, RFC1996, RFC2065, RFC2136, RFC2181,
> RFC2137, RFC2308, RFC2535, RFC2845, RFC3425, RFC3658, RFC4033,
> RFC4034, RFC4035) (Also STD0013) (Status: STANDARD)
>
> DNS servers do not spontaneously reply using TCP to a UDP request. If the
> UDP request results in a reply to large, the TC flag is set in the reply,
> and the querying station may elect to repeat the request using TCP. ONLY
> THEN will there be a TCP packet exchange. See section 4.2 of RFC1035.
>
> Old guy

Procedure to dump port 53 traffic for old guy et al to look at:

undebug all
clear db
unset ffilter
<repeat this command until it says invalid id>
set ffilter dst-port 53
debug flow basic
<wait for traffic>
get db st

-Russ.
Received on Mon May 1 00:52:59 2006