Cisco ASA Firewall marking PowerDNS 512byte Truncated UDP responses as 'mangled packets'
Has anyone else had this issue?
We're currently using PowerDNS has an authoritative NS for some odd 500,000 domain names. Some of them have particular queries which will exceed the 512byte UDP maximum.
It appears that PowerDNS (2.6.21 and perhaps 2.6.22) is merely truncating responses which are greater than 512bytes and setting the TC bit. Unfortunately, this means that the number of answer RRs does not match what the DNS packet claims the number of answer RRs is. Also, this means that the packet may end mid-RR. Therefore, our Cisco ASA firewalls are refusing to deliver the packet and are calling it 'malformed'. Also, if viewed in Wireshark, the packets are also being labeled as 'malformed'.
While we would be able to disable this functionality in our own firewall(s), we would not be able to disable this functionality in potential users firewalls.
Unfortunately, after looking at the code, it appears as though the 512 byte size check is done AFTER the packet is 'finalized' or 'wrapped up'. Therefore, it seems like it would be somewhat problematic to actually make a reasonable decision about how to truncate the packet and adjust the RR counters in the DNS response preambles?
Thoughts?
Thanks in advance!
