We had a similar problem when we moved some DNS servers to a DMZ that was
behind a firewall (a Cisco FWSM blade in a 6513 chassis.) A packet capture
showed that the initial query from the DNS server had the EDNS flag set. It
never got a response to that query, and would then resend it without the
EDNS flag and would get an immediate response. I¹m not sure if the firewall
didn¹t like the query itself or the response, but there was definitely
something about EDNS that it didn¹t like. We fixed the problem by disabling
the DNS application inspection that the firewall was doing (³no fixup
protocol dns²). Check your firewalls to see if they are dropping the EDNS
requests. If so, you can try modifying your firewalls to allow the EDNS
queries, or if that isn¹t possible then you can try limiting the EDNS packet
size to 512 in your options:
options {
edns-udp-size 512;
};
-Anthony Blalock
>> > I have installed a caching only instance of BIND (9.2.4) on a CentOS
>> > machine on my internal network. I have noticed that initial DNS requests
>> > against the server take a rather large amount of time (usually around 7
>> > seconds). I have done some basic troubleshooting and I am coming up at a
>> > loss. I think my ISP might be doing something "funny" but I am not sure
>> > how to test any further.
>> >
>> > I have captured BIND debug info at a trace level of 3 (posted bellow). I
>> > have also captured snoop data via tcpdump. >From what I can tell; it seems
>> > as if responses are taking a "long" time to come back. The same behavior
>> > is exhibited for any domain or host I attempt to lookup.
>> >
>> > To be clear, everything is working, just much slower than it should for
>> > initial queries. Any help troubleshooting would be greatly appreciated.
-----------------------------------------
The information contained in this e-mail and any attached documents
may contain information that is confidential or otherwise protected
from disclosure. If you are not the intended recipient of this
message, or if this message has been sent to you in error, please
immediately alert the sender by reply e-mail and then delete this
message, including any attachments. Any dissemination, distribution
or other use of the contents of this message by anyone other than
the intended recipient is strictly prohibited.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
