[External] Re: intermittent resolution
barmar at alum.mit.edu
Wed Oct 30 23:57:41 UTC 2013
In article <mailman.1592.1383170345.20661.bind-users at lists.isc.org>,
"Samp, Daniel [USA]" <Samp_Daniel at bah.com> wrote:
> In the past when I've had issues with certain .gov sites (e.g. noaa.gov,
> nih.gov, ssa.gov) it was due to application based filtering (layer 4). For
> some reason the responses from these sites are more often than not fragmented
> and if you have something doing filtering based on ports it may not be
> delivering the follow-up fragments because they do not have the tcp headers.
> Do a tcpdump of your DNS traffic from noaa.gov and check to see if reponses
> are being fragmented and whether you are receiving all of the fragments. We
> had to set edns-udp-size to 512 as a workaround until we could identify the
> problematic piece of hardware.
> Since the only thing you changed was BIND versions, this may have nothing to
> do with your issue, but I thought I'd throw it out there.
.gov was a relatively early adopted of DNSSEC -- it was mandated for all
agencies about 3 years ago, I think. But there were lots of teething
pains, which caused frequent outages of some domains. And DNSSEC usually
results in large responses, so if your firewall doesn't deal well with
EDNS0, you would have problems like that.
More information about the bind-users