Troubleshooting slow DNS lookup
marka at isc.org
Wed Dec 8 10:31:02 UTC 2010
In message <AANLkTimS2mFbib5LPdpqYaRc8Ds1GG4dB7b2tEa=BnZa at mail.gmail.com>, Rian
to Wahyudi writes:
> Hi Mark,
> Thanks for your quick response !
> > Standards Track.
> > RFC 2671 Extension Mechanisms for DNS (EDNS0)
> > RFC 3226 DNSSEC and IPv6 A6 aware server/resolver message size requiremen=
> Unfortunately RFC is not considered as good enough ... unless if we
> can find an actual proof that can be replicated :(
> I also done some dnssec trace demonstration, and it still not a good
> enough reason :
> ie : dig www.anyhostname.com +trace +dnssec .
> This test always fail and it produce FWSM log entry similar to:
> : %FWSM-2-106007: Deny inbound UDP from 188.8.131.52/53 to
> 10.0.0.1/64788 due to DNS Response
I also suggest that you ask your firewall people to talk to the
CISCO TAC about how to properly configure the firewall for a
nameserver that supports EDNS. The defaults are not setup for a
nameserver that supports EDNS.
If they don't want to do that read what CISCO recommends here:
> > Informational.
> > RFC 4294 IPv6 Node Requirements
> > http://labs.ripe.net/Members/anandb/content-testing-your-resolver-dns-rep=
> > How about the root servers?
> >> - Any example of dns record that send packet larger than 512 ?
> > The root servers.
> > =A0 =A0 =A0 =A0dig +dnssec dnskey .
> This for some reason .... works without any problem :
Well if you ask the root servers ....
dig +dnssec dnskey . @a.root-servers.net
With just "dig +dnssec dnskey ." you are talking to your own server so
are not going through the firewall. You will also notice it took 1/2
a second to get that answer so named did several different attempts in
that 1/2 second.
> ;; Query time: 547 msec
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users