Troubleshooting slow DNS lookup
Mark Andrews
marka at isc.org
Fri Nov 26 04:58:18 UTC 2010
In message <AANLkTimZMC4PGNe7N72hnB7gnjUaT9r2OKTiGAazv4RP at mail.gmail.com>, Rian
to Wahyudi writes:
> Hi Mark,
>
> Thanks for the pointers , your are spot on!
>
> Doing dig +trace +dnssec www.paypal.com always fail.
> After some investigation with the network guys, it appear that our upstream
> firewall are dropping DNS UDP packet larger than 512.
> Cisco FWSM have this configuration enabled by default :
>
> http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/i2.htm
> l#wp1565355
So the default is "inspect dns maximum-length 512" if I read that
page correctly. "inspect dns" or as a minimum "inspect dns
maximum-length 4096" will allow reply traffic through for named.
I thought I had heard that Cisco had code which looked for the EDNS
UDP size option and adjusted the maximum length based on that on a
per transaction basis and enforced 512 if there wasn't a EDNS option.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list