4 Replies Latest reply on Jul 27, 2012 6:42 AM by ianl

    McAfee Webgateway 7.x and UDP DNS response packet length exceeds 512 bytes

    ianl

      Dear Colleagues,

       

      I have an interesting scenario, a client has 2 MWG appliances. One is on MWG version 6.8 and the other is on version 7.1.6 (12411). They both talk to the same ISP DNS server.

       

      However they experience problems only with the 7.x appliance and not the 6.8 one

       

      The error they see is that the Firewall (Cisco PIX/ASA) that sits between the ISP's DNS server and the MWG drops the DNS response packet with the below mentioned error message

       

       

      Dropped UDP DNS reply from CRCoutside:2xx.xx.x.x/53 to inside:10.xx.x.xxx/54498; packet length 578 bytes exceeds configured limit of 512 bytes

       

       

      The problem get resolved when the firewall team changed "default return length of DNS to 586 byte"

       

      I've read up some articles on how the packet size increases when using DNSSEC and IPv6. But is that what is happening here? (I'm not entirely sure if I have understood them correctly)

       

      https://lists.isc.org/pipermail/bind-users/2007-September/067999.html

      http://djberriman.blogspot.in/2007/11/cisco-firewall-dns-packet-size-setting.htm l

      http://www.cisco.com/web/about/security/intelligence/dnssec.html

       

      Also, how come this affects only the 7.x appliance? Any thoughts on this? What should be the recommended setting for the packet length on the firewall?