ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

DNSSEC and May 5th?

‎04-13-2010 06:17 AM

I was reading this: http://www.theregister.co.uk/2010/04/13/dnssec/

 

and went here: http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues

 

Using Google's DNS resolvers on a client behind a Netscreen SSG140 I keep getting "Your resolver was only able to get packets SMALLER than 512 bytes" which suggests I have a problem.

 

Any suggestions as I assume this is a ScreenOS screening issue, yet even with "Generate Alarms without Dropping Packet" ticked I get the same issue?

3 REPLIES 3
ScreenOS Firewalls (NOT SRX)

Re: DNSSEC and May 5th?

‎04-13-2010 12:12 PM

Hi

 

This setting is enforced by Deep Inspection and can be changed with the following command:

 

set di service dns udp_message_limit  512 - 4096

 

The default size is 512

 

 

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
ScreenOS Firewalls (NOT SRX)

Re: DNSSEC and May 5th?

‎04-23-2010 09:37 AM

It is a settin in deep inspection but if you are not using deep inspection on the policy then what is the issue?

ScreenOS Firewalls (NOT SRX)

Re: DNSSEC and May 5th?

‎04-30-2010 01:12 PM

 


@ogardatadude wrote:

It is a settin in deep inspection but if you are not using deep inspection on the policy then what is the issue?


 

You need to allow both 53/UDP and 53/TCP from your nameserver to the internet. The UDP transport only delivers 512 bytes. Larger responses will be transferred via TCP. [see RFC 1035 section 4.1.2]

 

Heiko