packet too big

Joel jc517 at wmi.com
Fri Jul 9 14:42:34 UTC 2004



Michael Varre wrote:
> > I noticed that when using my name servers as a resolver I cannot get
> > to several yahoo sites.  I dug in and noticed a message is getting
> > logged on the firewall that the packet is over 512 bytes (this is the
> > answer packet).
> > The answer seems to be coming directly from yahoo's name servers. I
> > have included captures.  One is from an answer I receive from
> > roadrunner ns and the other is from one of my resolvers.  There is
> > clearly more data at the end of mine, however I have no clue why it is
> > there from my server rather than others.
> >
> >
> >
> > Any ideas on this problem would be greatly appreciated!  Thanks!

As you have noticed this is a firewall issue and is best addressed
at that point in the chain. On my PIX we do this

	fixup protocol dns maximum-length 1024

Check your docs for what you need to do to let EDNS0 packets get through
the firewall.
- Joel



More information about the bind-users mailing list