Security – Do firewalls drop udp dns queries that are longer than 512 bytes

domain-name-systemfirewallSecurity

bottom line:
DNS' RFC notes that DNS queries over UDP are limited to 512 bytes. Does anybody know if this is enforced by major corporate firewalls?

long story:
My company develops a product that should communicate between data centers. Since the typical user of this product (performance engineer) would not have access to firewall's settings, we would like to develop a method that bypasses firewalls with good rates of success. We thought of tunneling the application data over DNS TXT queries, since it seems that (within the WAN) firewalls tend to let DNS queries pass by. However, we are not very knowledgeable about common firewall behavior and would like some help. Specifically, we are wondering whether the big-brand firewalls block DNS queries over UDP that are longer than 512 bytes.

Thanks,

Best Answer

No, firewalls don't habitually drop big DNS queries like that, as far as I'm aware. What you want to look at for your problem is existing implementations of IP over DNS, such as dns2tcp, nstx, or iodine. They'll show you exactly how it can be done.

Related Solutions

Bind9 – Get Dual NIC Machine to Answer DNS Queries

I assume that eth0 is the default route for the machine, in which case I would expect that the responses for requests coming in eth1 to go out eth0. If that is the case, you need to configure source routing so that the responses go out eth1:

# Label a new routing table
echo "10 eth1" >> /etc/iproute1/rt_table
# Add a default route to the eth1 routing table
ip route add default via 192.168.9.1 dev eth1 table eth1
# Send packets with a source IP of .25 to the eth1 routing table
ip rule add from 192.168.9.25 table eth1

This assumes that bind actually sets the source IP in the response packets. If it doesn't, try specifying both IPs in named.conf with the listen-on option. If that still doesn't work, I think your only option is to run two instances of bind, one for each IP.

DNS – Why UDP Has a 512 Bytes Limit

The 512 byte payload guarantees that DNS packets can be reassembled if fragmented in transit. Also, generally speaking there's less chance of smaller packets being randomly dropped.

The IPv4 standard specifies that every host must be able to reassemble packets of 576 bytes or less. With an IPv4 header (20 bytes, though it can be as high as 60 bytes w/ options) and an 8 byte UDP header, a DNS packet with a 512 byte payload will be smaller than 576 bytes.

As @RyanRies says: DNS can use TCP for larger payloads and for zone transfers and DNSSEC. There's a lot more latency when TCP comes into play because, unlike UDP, there's a handshake between the client and server before any data begins to flow.

Best Answer

Related Solutions

Bind9 – Get Dual NIC Machine to Answer DNS Queries

DNS – Why UDP Has a 512 Bytes Limit

Related Topic