In the past when I've had issues with certain .gov sites (e.g. noaa.gov, nih.gov, ssa.gov) it was due to application based filtering (layer 4). For some reason the responses from these sites are more often than not fragmented and if you have something doing filtering based on ports it may not be delivering the follow-up fragments because they do not have the tcp headers. Do a tcpdump of your DNS traffic from noaa.gov and check to see if reponses are being fragmented and whether you are receiving all of the fragments. We had to set edns-udp-size to 512 as a workaround until we could identify the problematic piece of hardware.
Since the only thing you changed was BIND versions, this may have nothing to do with your issue, but I thought I'd throw it out there. -Dan ________________________________________ From: bind-users-bounces+samp_daniel=bah....@lists.isc.org [bind-users-bounces+samp_daniel=bah....@lists.isc.org] on behalf of Con Wieland [cwiel...@uci.edu] Sent: Wednesday, October 30, 2013 5:28 PM To: BIND List Subject: [External] Re: intermittent resolution The site I am having issues with are a half a dozen sites at noaa.gov. No I have not tried 9.9.4 when I upgraded 9.8.6 was listed as the current stable version so I went with that. con On Oct 30, 2013, at 11:48 AM, Alan Clegg <a...@clegg.com> wrote: > > On Oct 30, 2013, at 10:03 AM, Con Wieland <cwiel...@uci.edu> wrote: > >> I recently upgraded to version: 9.8.6. I am having trouble resolving a .gov >> site. When I reload the name server it will resolve fine for a while then >> after an hour or two I will get a server fail. I can perform a dig +trace >> and resolve but dig will fail. If I do an rndc reload it will work for some >> period of time again. I suspect negative caching but the site has a the ttl >> set to 60 so I would expect it to resolve again but it doesn't until a >> reload is preformed, other sites seem to be effected but I don't know. This >> is a high visibility site. The only configuration change has been to add RPZ >> which seems to be working fine. >> >> Other name servers seem to be unaffected. What am I missing? What else can I >> check? I can provide more details if it would be helpful. > > Can you tell us _what_ .gov site? Do you see the same problem with 9.9.4? > > AlanC > -- > Alan Clegg | +1-919-355-8851 | a...@clegg.com > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
