[External] Re: intermittent resolution

Barry Margolin barmar at alum.mit.edu
Wed Oct 30 23:57:41 UTC 2013

In article <mailman.1592.1383170345.20661.bind-users at lists.isc.org>,
 "Samp, Daniel [USA]" <Samp_Daniel at bah.com> wrote:

> In the past when I've had issues with certain .gov sites (e.g. noaa.gov, 
> nih.gov, ssa.gov) it was due to application based filtering (layer 4).  For 
> some reason the responses from these sites are more often than not fragmented 
> and if you have something doing filtering based on ports it may not be 
> delivering the follow-up fragments because they do not have the tcp headers.  
> Do a tcpdump of your DNS traffic from noaa.gov and check to see if reponses 
> are being fragmented and whether you are receiving all of the fragments.  We 
> had to set edns-udp-size to 512 as a workaround until we could identify the 
> problematic piece of hardware.
> Since the only thing you changed was BIND versions, this may have nothing to 
> do with your issue, but I thought I'd throw it out there.

.gov was a relatively early adopted of DNSSEC -- it was mandated for all 
agencies about 3 years ago, I think.  But there were lots of teething 
pains, which caused frequent outages of some domains. And DNSSEC usually 
results in large responses, so if your firewall doesn't deal well with 
EDNS0, you would have problems like that.

Barry Margolin
Arlington, MA

More information about the bind-users mailing list