[dns-operations] DNS maximum packet size
Robert.Patrick at hq.doe.gov
Fri Sep 18 17:50:15 UTC 2009
Are firewall vendors working to increase the default settings for DNS
maximum packet size in order to better support EDNS and DNSSEC?
Cisco firewalls have a default maximum packet size for DNS set to 512
bytes, and I'm going to guess similar settings exist for other vendor
A recent inquiry to increase the default setting for DNS maximum packet
size enforcement on Cisco firewalls was answered with "the default
configuration change is not on our firewall roadmap".
Is anybody working to get the vendors to put this change into product
roadmaps, especially as year-end approaches and the OMB deadline is
Example configuration change for Cisco ASA and FWSM shown below:
policy-map type inspect dns preset_dns_map
message-length maximum 4096
inspect dns preset_dns_map
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations