How to reduce the number of IP address returned when resolving a big round robin DNS entry
Mark Andrews
Mark_Andrews at isc.org
Thu Nov 30 23:13:36 UTC 2006
> hi,
> in fact i have to reduce it to 26 responses to have no truncated message
>
> i've got strange behaviour of a particuliar DNS resolver on wifi mobile
> the resolver wait for the other reponses (when message truncated)
> and do nothing until it receives another packet containing the rest of the
> other responses...!
> it doesn't swith over to TCP ... !
So it needs the full UDP packet. Nothing strange there. Most
IP stacks don't pass fragments to the application layer.
> i saw that DJBDNS send 8 reponses from a random sets of hosts... a small and
> good LB function like i want
>
> i've to upgrade to BIND 9.3
> my bind version is 9.2 and BIND 9.2 do not not supporting EDNS
All versions of BIND 9 support EDNS.
> i'll have to modify the inspection engine on Cisco FWSM card to allow paquet
> up to 1500 byte
EDNS responses can be up to 4096 bytes, with BIND 9, which may be
in multiple fragments. You need to ensure your firewall will
either reassemble the packet before resending and/or that it will
pass IP fragments.
> i'll try to make a VIP and make IOS SLB (NAT destination) to solve my
> problem
> and have only one IP to return ... but no one never NAT that kind of
> protocol
>
> regards,
>
> 2006/11/30, Joseph S D Yao <jsdy at center.osis.gov>:
> >
> > Why was this sent to both the mailing-list address and the newsgroup
> > list for the mailing list? ;-(
> >
> >
> > On Tue, Nov 28, 2006 at 11:03:08AM +0100, besnard michel wrote:
> > ...
> > > i'm facing "message truncated" bit problem ; my BIND server send back
> > > 29 RRs to my DNS client. But not all my DNS client accept this bit and
> > > use TCP instead (normal) ; for the moment i do not accept TCP
> > > (firewalled and not load balance, need to check BIND configuration...
> > > to make). So i reduce the number of entries in my big IN A round robin
> > > entrie. I think it's the best solution for security : DDoS attack. So
> > > i try to used UDP only for DNS client.
> > ...
> >
> > Four things.
> >
> > (1) This is one reason why you must NOT block TCP port 53 in your
> > firewall.
> >
> > (2) You should reduce the number of IP addresses. You cannot get 29
> > responses in a standard packet, and you can't make a GOOD name server
> > return less than the full truth. And if you start using a lying name
> > server, you will get what you deserve - lies.
> >
> > (3) I was about to say something about keeping all of the names short,
> > but of course in an A query there is only one name. Skip this one.
> >
> > (4) EDNS allows larger packet sizes.
> >
> > --
> > Joe Yao
> > -----------------------------------------------------------------------
> > This message is not an official statement of OSIS Center policies.
> >
>
>
>
> --
> Cdt,
> Michel BESNARD
>
> http://blog.yumanet.com
> http://blog.mfl42.net
> http://sweetlili.yumanet.com
>
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list