-----Original Message----- From: Matus UHLAR - fantomas <uh...@fantomas.sk> Date: Thursday, October 31, 2013 7:49 AM To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> Subject: Re: [External] Re: intermittent resolution
>On 30.10.13 21:58, Samp, Daniel [USA] wrote: >>In the past when I've had issues with certain .gov sites (e.g. noaa.gov, >> nih.gov, ssa.gov) it was due to application based filtering (layer 4). >> For some reason the responses from these sites are more often than not >> fragmented and if you have something doing filtering based on ports it >>may >> not be delivering the follow-up fragments because they do not have the >>tcp >> headers. Do a tcpdump of your DNS traffic from noaa.gov and check to >>see >> if reponses are being fragmented and whether you are receiving all of >>the >> fragments. > >> We had to set edns-udp-size to 512 as a workaround until we >> could identify the problematic piece of hardware. > >this is a server option, not a client option. did you have to set this on >your recursive servers, because HW between them and your clients was >problematic? > >If you did find the culprit, can you tell us who was it? i would assume a firewall somewhere between the server and clients doing things like protocol inspection or "fixups" based on outdated BCPs. i've encountered that numerous times myself. one more reason the oarc reply size test is useful. https://www.dns-oarc.net/oarc/services/replysizetest/ http://www.cisco.com/web/about/security/intelligence/dnssec.html#11 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
