Troubleshooting slow DNS lookup

Mark Andrews marka at
Fri Nov 26 04:58:18 UTC 2010

In message <AANLkTimZMC4PGNe7N72hnB7gnjUaT9r2OKTiGAazv4RP at>, Rian
to Wahyudi writes:
> Hi Mark,
> Thanks for the pointers , your are spot on!
> Doing dig +trace +dnssec always fail.
> After some investigation with the network guys, it appear that our upstream
> firewall are dropping DNS UDP packet larger than 512.
> Cisco FWSM have this configuration enabled by default :
> l#wp1565355

So the default is "inspect dns maximum-length 512" if I read that
page correctly.  "inspect dns" or as a minimum "inspect dns
maximum-length 4096" will allow reply traffic through for named.

I thought I had heard that Cisco had code which looked for the EDNS
UDP size option and adjusted the maximum length based on that on a
per transaction basis and enforced 512 if there wasn't a EDNS option.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list