Cisco Pix drops UDP packets larger than 512 bytes

David Hekimian davidh at
Mon Jun 3 18:39:11 UTC 2002

I've been having some problems looking up specific sites (the MX record for
Lycos.Com for example) where the returned packet size is larger than 512
(Using Dig >8.2.5   'dig -t mx +debug +dn' )

Cisco's BugToolkit (BugID CSCds58726) shows the bug as a "Feature" -

DOC: PIX drops DNS packets of sizes greater than 512 bytes

UDP packets with destination port 53, DNS packets, will be dropped by the
PIX if the packet size is more than 512 bytes. This is a design

I was under the impression that if a packet is larger then 512 bytes then
TCP was used. In what instances does BIND switch from UDP to TCP?

Q. Does this violate a RFC?
Q. Is this even a desired behavior?

I willing to push Cisco to add a command feature to turn off this "Feature"
if not eliminate it completely. I need some backup reasoning (Violates an
RFC, etc) to build my case (if necessary).

All feedback is greatly appreciated.

- David

More information about the bind-users mailing list