Netgate SG-1000 microFirewall

Author Topic: EDNS0 Support  (Read 2541 times)

0 Members and 1 Guest are viewing this topic.

Offline beer

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
EDNS0 Support
« on: April 16, 2012, 03:05:52 pm »
My DC (MS W2K8R2) which is running DNS is throwing a lot of 5501 events.

The DNS server encountered a bad packet from  Packet processing leads beyond packet length. The event data contains the DNS packet.

The MS KB says this is the problem with the router (pfsense):

This issue occurs because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2003 DNS.

EDNS0 permits the use of larger User Datagram Protocol (UDP) packet sizes. However, some firewall programs may not permit UDP packets that are larger than 512 bytes. As a result, these DNS packets may be blocked by the firewall.

Any idea on how to investigate on the router?

Thank you fine folks!

Offline cmb

  • Hero Member
  • *****
  • Posts: 11228
  • Karma: +896/-7
    • View Profile
    • Chris Buechler
Re: EDNS0 Support
« Reply #1 on: April 17, 2012, 01:29:34 am »
We don't discriminate on packet sizes of any UDP or DNS. By "some firewall programs", what they're specifically referring to there is the old Cisco PIX/ASA default limit of 512 bytes on DNS requests. Almost every PIX config we see has that broken so it's undoubtedly caused numerous issues along those lines. If you're using the DNS forwarder, we default to dnsmasq's default of 4096 for --edns-packet-max, the recommended value per RFC 5625. If your Windows server does its own recursive lookups, there is no limit induced by the firewall.