Troubleshooting slow DNS lookup

Rianto Wahyudi me at
Wed Dec 8 04:38:16 UTC 2010

Our network team are quite reluctant to make any changes on the FWSM
in regards to DNS inspection.
So it seems that we are stuck with maximum UDP packet of 512 byte.

Unfortunately, I do not have much evidence (ie user complains) to
escalate this issue much further except from few number of users who
*intermittently* unable to access
The term "intermittently" is the main keyword, and because of that the
finger are now point back the the DNS server.

I believe that Increasing the maximum limit or disable inspection will
fix the issue , but I will need to gather sufficient case and
compelling report.

- Does any one have a good example of prominent website that have
DNSEC setup properly other than paypal?
- Any example of dns record that send packet larger than 512 ?
- Any other information I can use to help create the report ?

As a work around I can possibly set EDNS UDP size to match the
firewall limit, but I think this is my last option.

Any help is greatly appreciated!

Rianto Wahyudi

More information about the bind-users mailing list