[External] Re: intermittent resolution

Mike Hoskins (michoski) michoski at cisco.com
Thu Oct 31 15:05:18 UTC 2013


-----Original Message-----

From: Matus UHLAR - fantomas <uhlar at fantomas.sk>
Date: Thursday, October 31, 2013 7:49 AM
To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Re: [External]  Re: intermittent resolution

>On 30.10.13 21:58, Samp, Daniel [USA] wrote:
>>In the past when I've had issues with certain .gov sites (e.g. noaa.gov,
>> nih.gov, ssa.gov) it was due to application based filtering (layer 4).
>> For some reason the responses from these sites are more often than not
>> fragmented and if you have something doing filtering based on ports it
>>may
>> not be delivering the follow-up fragments because they do not have the
>>tcp
>> headers.  Do a tcpdump of your DNS traffic from noaa.gov and check to
>>see
>> if reponses are being fragmented and whether you are receiving all of
>>the
>> fragments. 
>
>> We had to set edns-udp-size to 512 as a workaround until we
>> could identify the problematic piece of hardware.
>
>this is a server option, not a client option. did you have to set this on
>your recursive servers, because HW between them and your clients was
>problematic?
>
>If you did find the culprit, can you tell us who was it?

i would assume a firewall somewhere between the server and clients doing
things like protocol inspection or "fixups" based on outdated BCPs.  i've
encountered that numerous times myself.  one more reason the oarc reply
size test is useful.

https://www.dns-oarc.net/oarc/services/replysizetest/

http://www.cisco.com/web/about/security/intelligence/dnssec.html#11



More information about the bind-users mailing list