How to reduce the number of IP address returned when resolving a big round robin DNS entry

Mark Andrews Mark_Andrews at isc.org
Thu Nov 30 23:13:36 UTC 2006 

> hi,
> in fact i have to reduce it to 26 responses to have no truncated message
> 
> i've got strange behaviour of a particuliar DNS resolver on wifi mobile
> the resolver wait for the other reponses (when message truncated)
> and do nothing until it receives another packet containing the rest of the
> other responses...!
> it doesn't swith over to TCP ... !

	So it needs the full UDP packet.  Nothing strange there.  Most
	IP stacks don't pass fragments to the application layer.
 
> i saw that DJBDNS send 8 reponses from a random sets of hosts... a small and
> good LB  function like i want
> 
> i've to upgrade to BIND 9.3
> my bind version is 9.2 and BIND 9.2 do not not supporting EDNS

	All versions of BIND 9 support EDNS.
 
> i'll have to modify the inspection engine on Cisco FWSM card to allow paquet
> up to 1500 byte

	EDNS responses can be up to 4096 bytes, with BIND 9, which may be
	in multiple fragments.  You need to ensure your firewall will
	either reassemble the packet before resending and/or that it will
	pass IP fragments.

> i'll try to make a VIP and make IOS SLB (NAT destination) to solve my
> problem
> and have only one IP to return ... but no one never NAT that kind of
> protocol
> 
> regards,
> 
> 2006/11/30,  Joseph S D Yao <jsdy at center.osis.gov>:
> >
> > Why was this sent to both the mailing-list address and the newsgroup
> > list for the mailing list?  ;-(
> >
> >
> > On Tue, Nov 28, 2006 at 11:03:08AM +0100, besnard michel wrote:
> > ...
> > > i'm facing "message truncated" bit problem ; my BIND server send back
> > > 29 RRs to my DNS client. But not all my DNS client accept this bit and
> > > use TCP instead (normal) ; for the moment i do not accept TCP
> > > (firewalled and not load balance, need to check BIND configuration...
> > > to make). So i reduce the number of entries in my big IN A round robin
> > > entrie. I think it's the best solution for security : DDoS attack. So
> > > i try to used UDP only for DNS client.
> > ...
> >
> > Four things.
> >
> > (1) This is one reason why you must NOT block TCP port 53 in your
> > firewall.
> >
> > (2) You should reduce the number of IP addresses.  You cannot get 29
> > responses in a standard packet, and you can't make a GOOD name server
> > return less than the full truth.  And if you start using a lying name
> > server, you will get what you deserve - lies.
> >
> > (3) I was about to say something about keeping all of the names short,
> > but of course in an A query there is only one name.  Skip this one.
> >
> > (4) EDNS allows larger packet sizes.
> >
> > --
> > Joe Yao
> > -----------------------------------------------------------------------
> >    This message is not an official statement of OSIS Center policies.
> >
> 
> 
> 
> -- 
> Cdt,
> Michel BESNARD
> 
> http://blog.yumanet.com
> http://blog.mfl42.net
> http://sweetlili.yumanet.com
> 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list