Troubleshooting slow DNS lookup
me at rwahyudi.com
Fri Nov 26 04:23:20 UTC 2010
Thanks for the pointers , your are spot on!
Doing dig +trace +dnssec www.paypal.com always fail.
After some investigation with the network guys, it appear that our upstream
firewall are dropping DNS UDP packet larger than 512.
Cisco FWSM have this configuration enabled by default :
Once again thanks for the help!
> You need to mimic the nameserver more closely and turn on +dnssec.
> dig +trace +dnssec www.paypal.com
> I suspect you have a firewall that is blocking the larger replies +dnssec
> produces. Named will work around this by adjustting the queries it makes
> but that requires timouts and hence the longer resolution time.
> > --===============2929699010037471745==--
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users