Troubleshooting slow DNS lookup
marka at isc.org
Wed Dec 8 05:30:52 UTC 2010
In message <AANLkTi=T5tj29_GMnGBTPuG8cfYRQpgadr=-yVFwJ0mq at mail.gmail.com>, Rian
to Wahyudi writes:
> Our network team are quite reluctant to make any changes on the FWSM
> in regards to DNS inspection.
> So it seems that we are stuck with maximum UDP packet of 512 byte.
> Unfortunately, I do not have much evidence (ie user complains) to
> escalate this issue much further except from few number of users who
> *intermittently* unable to access www.paypal.com.
> The term "intermittently" is the main keyword, and because of that the
> finger are now point back the the DNS server.
It's intermittent because it takes named time to workout what will
work with your firewall and the clients timeout in the meantime.
This will only get worse over time.
> I believe that Increasing the maximum limit or disable inspection will
> fix the issue , but I will need to gather sufficient case and
> compelling report.
RFC 2671 Extension Mechanisms for DNS (EDNS0)
RFC 3226 DNSSEC and IPv6 A6 aware server/resolver message size requirements
RFC 4294 IPv6 Node Requirements
> - Does any one have a good example of prominent website that have
> DNSEC setup properly other than paypal?
How about the root servers?
> - Any example of dns record that send packet larger than 512 ?
The root servers.
dig +dnssec dnskey .
> - Any other information I can use to help create the report ?
> As a work around I can possibly set EDNS UDP size to match the
> firewall limit, but I think this is my last option.
> Any help is greatly appreciated!
> Rianto Wahyudi
> bind-users mailing list
> bind-users at lists.isc.org
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users