Intermittent Issue Resolving External Domains
David Price
davelist at blackhole.com
Wed May 26 22:47:51 UTC 2004
Joel M Nimety wrote:
> Hello --
> I'm running bind Version: 9.2.4rc2
> Linux ns81 2.4.19 #1 Fri Oct 4 18:36:11 EDT 2002 sparc64 unknown
>
> Using Debian 3.0
>
> We're experiencing intermittent issues resolving domain names. Often
> these domains are microsoft.com, cnn.com, etc. We are running 3
> identical servers and sometime they can go a week or two without any
> trouble (othertimes only hours), then without warning one server will be
> unable to perform a recursive lookup for a few domains.
>
> rndc flush has no effect, restarting bind fixes any problems.
>
> I have a cache dump created during one of the outages, if that would be
> helpful I can post it.
>
> I've also attached my named.conf
>
>
> Any insight is very much appreciated.
>
This sounds like something we dealt with a while back. We are sitting
behind a PIX firewall and the PIX will block every DNS packet larger
than 512 (many other firewalls do this too). The EDNS protocol allows
for larger DNS packets. This means that anything returning large EDNS
packets will be "unresolvable". Unfortunately there is no way to turn
off this behaviour in the PIX. There is a config directive that you can
put in the options section called "edns-udp-size" if you set that to 512
it should bypass this.
I can't tell for sure if this is your problem but I didn't see the
edns-udp-size in your attached config file, so if you are behind a
firewall it may be worth a try.
-David Price
More information about the bind-users
mailing list