cancel
Showing results for 
Search instead for 
Did you mean: 
ianl
Level 7

McAfee Webgateway 7.x and UDP DNS response packet length exceeds 512 bytes

Jump to solution

Dear Colleagues,

I have an interesting scenario, a client has 2 MWG appliances. One is on MWG version 6.8 and the other is on version 7.1.6 (12411). They both talk to the same ISP DNS server.

However they experience problems only with the 7.x appliance and not the 6.8 one

The error they see is that the Firewall (Cisco PIX/ASA) that sits between the ISP's DNS server and the MWG drops the DNS response packet with the below mentioned error message

Dropped UDP DNS reply from CRCoutside:2xx.xx.x.x/53 to inside:10.xx.x.xxx/54498; packet length 578 bytes exceeds configured limit of 512 bytes

The problem get resolved when the firewall team changed "default return length of DNS to 586 byte"

I've read up some articles on how the packet size increases when using DNSSEC and IPv6. But is that what is happening here? (I'm not entirely sure if I have understood them correctly)

https://lists.isc.org/pipermail/bind-users/2007-September/067999.html

http://djberriman.blogspot.in/2007/11/cisco-firewall-dns-packet-size-setting.html

http://www.cisco.com/web/about/security/intelligence/dnssec.html

Also, how come this affects only the 7.x appliance? Any thoughts on this? What should be the recommended setting for the packet length on the firewall?

0 Kudos
1 Solution

Accepted Solutions
asabban
Level 17

Re: McAfee Webgateway 7.x and UDP DNS response packet length exceeds 512 bytes

Jump to solution

Hi Ian,

in MWG6.x (CGLinux) we have used the libc resolver library to perform DNS lookups. In MWG7.x (MLOS) this has been changes to udns, a different library to perform DNS lookups. The new DNS implementation supports EDNS, which is described in http://en.wikipedia.org/wiki/EDNS. Normally DNS packets have a maximum size of 512 bytes, but EDNS allows bigger sizes to have all DNS information included or allow optional headers to be present.

If you look at the "Issues" section of the Wikipedia article you will find an issue described that is similar to yours. According to a colleague a maximum of 4096 bytes is permitted for EDNS responses. We have not seen that so much data was ever included in a DNS response we have spotted in the wild, but a recommendation would be to increase the maximum DNS response size to match the size of the MTU you have configured on the firewall (most likely 1500). You could also be fine with 586, but if you get a larger response it may get blocked as well.

I hope this helps.

best,

Andre

4 Replies
asabban
Level 17

Re: McAfee Webgateway 7.x and UDP DNS response packet length exceeds 512 bytes

Jump to solution

Hello,

what I can tell is that MWG7 uses a different implementation of DNS. I will try to get some more details from the engineering guys who built this stuff.

Best,

Andre

0 Kudos
ianl
Level 7

Re: McAfee Webgateway 7.x and UDP DNS response packet length exceeds 512 bytes

Jump to solution

Hi Andre,

Thanks! Looking forward to your reply!

Cheers,

Ian

0 Kudos
asabban
Level 17

Re: McAfee Webgateway 7.x and UDP DNS response packet length exceeds 512 bytes

Jump to solution

Hi Ian,

in MWG6.x (CGLinux) we have used the libc resolver library to perform DNS lookups. In MWG7.x (MLOS) this has been changes to udns, a different library to perform DNS lookups. The new DNS implementation supports EDNS, which is described in http://en.wikipedia.org/wiki/EDNS. Normally DNS packets have a maximum size of 512 bytes, but EDNS allows bigger sizes to have all DNS information included or allow optional headers to be present.

If you look at the "Issues" section of the Wikipedia article you will find an issue described that is similar to yours. According to a colleague a maximum of 4096 bytes is permitted for EDNS responses. We have not seen that so much data was ever included in a DNS response we have spotted in the wild, but a recommendation would be to increase the maximum DNS response size to match the size of the MTU you have configured on the firewall (most likely 1500). You could also be fine with 586, but if you get a larger response it may get blocked as well.

I hope this helps.

best,

Andre

ianl
Level 7

Re: McAfee Webgateway 7.x and UDP DNS response packet length exceeds 512 bytes

Jump to solution

Hi Andre,

Thank you! That makes perfect sense. This is just what I needed.

Cheers,

Ian

0 Kudos