Do firewalls drop udp dns queries that are longer than 512 bytes?


Solution 1

No, firewalls don't habitually drop big DNS queries like that, as far as I'm aware. What you want to look at for your problem is existing implementations of IP over DNS, such as dns2tcp, nstx, or iodine. They'll show you exactly how it can be done.

Solution 2

If you're talking about real, proper, enterprise firewalls you're probably OK, although Cisco PIXes tend to come with a default setting that does limit packets to 512 bytes.

If on the other you're talking about low end firewalls, SOHO routers, etc, you're quite likely to come unstuck.

For a full treatise on these issues with low end kit see RFC 5625 and ICANN SSAC report SAC035. Obligatory disclaimer - I wrote these documents. DNS packet truncation is something of a speciality of mine...

Solution 3

The short answer is "not generally".

With EDNS they don't even have the 512 byte UDP limitation.

See the wiki page for some pointers:

What's far more likely is people thinking DNS is UDP only, and ignore that TCP is required not optional. We often have to run public DNS servers behind others firewalls and making them understand that we need TCP not just open to us but the world is a pain.

Solution 4

There is an extension to the RFC known as EDNS0, which implements the ability to extend DNS messages beyond 512 bytes on UDP transports. Historically some firewalls have been known to block the use of this extension. For instance some older PIX and ASA firmwares will drop by default as exampled here.

Chances are that most firewalls out there today don't exhibit this behaviour. But there's no guarantee that you won't walk into one out in the wild. There is also a chance that any deep packet inspection of your traffic could result it in being blocked as an anomaly.

Furthermore you should bear in mind (if you haven't already) that by using UDP you will have to build transmission control into your application layer, rather than relying on the transport (namely TCP) to provide it. Be sure to follow womble's advice about observing existing DNS tunnelling implementations.

Solution 5

Besides Alnitak's good summary, see also an excellent tool to test your DNS setup and see if it lets packets > 512 bytes go (as it should).

Here is an example of a broken DNS at an important IAP in France:

% dig +short txt
" lacks EDNS, defaults to 512"
" DNS reply size limit is at least 486 bytes"

Related videos on Youtube

Author by


Updated on September 17, 2022


  • nadiv
    nadiv almost 2 years

    bottom line: DNS' RFC notes that DNS queries over UDP are limited to 512 bytes. Does anybody know if this is enforced by major corporate firewalls?

    long story: My company develops a product that should communicate between data centers. Since the typical user of this product (performance engineer) would not have access to firewall's settings, we would like to develop a method that bypasses firewalls with good rates of success. We thought of tunneling the application data over DNS TXT queries, since it seems that (within the WAN) firewalls tend to let DNS queries pass by. However, we are not very knowledgeable about common firewall behavior and would like some help. Specifically, we are wondering whether the big-brand firewalls block DNS queries over UDP that are longer than 512 bytes.



    • nadiv
      nadiv over 14 years
      Thank all for your great advice! If I could accept every one of your answers I would do that, but I had to pick one
    • bortzmeyer
      bortzmeyer over 14 years
      -1 for saying that the RFC limit the size to 512 bytes. Check them first. RFC 2671, which suppressed this limit, is more than ten years old.
  • Dan Carley
    Dan Carley over 14 years
    Oh yes, blocking TCP/53 >fumes<
  • Alnitak
    Alnitak over 14 years
  • bortzmeyer
    bortzmeyer over 14 years
    Unfortunately, and despite the DNS standards, dropping DNS packets over 512 bytes is very common. See for instance the ICANN report at