Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
921
Views
0
Helpful
5
Replies

DNS Length errors

dopenfield
Level 1
Level 1

‎03-24-2005 09:31 AM - edited ‎03-09-2019 10:44 AM

I've started seeing DNS length errors in our PIX log. Both Packet and Label length

I'm trying to find some reference about how concerned we should be. I've looked at the RFC and can understand the Label can't be over 63.

I want to understand the reason 512 is the default for the DNS fixup. We've bumped ours up a bit with out noticing any effect.

Anyone have any reading they can point me to?

Labels:
0 Helpful
5 Replies 5

Patrick Iseli
Level 7
Level 7

‎03-24-2005 09:50 AM

Windows DNS Server does not respect the standards and has dns packets bigger than 512 bytes.

change it to a bigger size and everything will be ok.

example:

fixup protocol dns maximum-length 1024

sincerely

Patrick

0 Helpful

dopenfield
Level 1
Level 1
In response to Patrick Iseli

‎03-24-2005 11:18 AM

Thanks,

I'm regularly seeing 1500 - 1800 byte packets. Normal ??

0 Helpful

c-dudley
Level 1
Level 1

‎03-24-2005 10:24 AM

The old DNS RFC stated that any DNS reply over 512 would be truncated to 512, sent as UDP with a kind of "If you want to know more, ask again in TCP". You would then query in TCP for the full record.

The new DNS spec allows packets over 512 to be sent in UDP. AKADNS sites, such as yahoo, use the new spec.

Setting the fixup to 1024 allows UDP responses up to 1024. When it was set to 512, the pix was dropping the packet as being invalid due to it's size.

Chris

0 Helpful

fedrodri
Level 1
Level 1
In response to c-dudley

‎03-29-2005 01:37 AM

Hi all,

Perhaps a bit late! RFC 2671 specifies extensions for for DNS queries/replies. By default, the PIX will only allow DNS packets not larger than 512. The solution would be to turn off DNS-guard feature (no fixup protocol dns) or to allow bigger DNS packets through the PIX (fixup protocol dns maximum-length 4098 or any other value, like 1500). This is a known issue with Windows 2003 servers and PIX Firewalls.

-- DNS query responses do not travel through a firewall in Windows Server 2003:

http://support.microsoft.com/default.aspx?scid=kb;en-us;828263

Thanks,

Federico Rodriguez

0 Helpful

shoesbologna
Level 1
Level 1
In response to fedrodri

‎04-03-2005 07:57 AM

I was wondering if my problem could be related to this.

(I have the default settings ~ 512)

when I type in msn.com it doesn't come up unless I push refresh 5 times.....but when I put in www.msn.com it comes up right away.

Would turning off the DNS guard help my problem?

0 Helpful
Customers Also Viewed These Support Documents