-----Original Message-----

From: Matus UHLAR - fantomas <uh...@fantomas.sk>
Date: Thursday, October 31, 2013 7:49 AM
To: "bind-users@lists.isc.org" <bind-users@lists.isc.org>
Subject: Re: [External]  Re: intermittent resolution

>On 30.10.13 21:58, Samp, Daniel [USA] wrote:
>>In the past when I've had issues with certain .gov sites (e.g. noaa.gov,
>> nih.gov, ssa.gov) it was due to application based filtering (layer 4).
>> For some reason the responses from these sites are more often than not
>> fragmented and if you have something doing filtering based on ports it
>>may
>> not be delivering the follow-up fragments because they do not have the
>>tcp
>> headers.  Do a tcpdump of your DNS traffic from noaa.gov and check to
>>see
>> if reponses are being fragmented and whether you are receiving all of
>>the
>> fragments. 
>
>> We had to set edns-udp-size to 512 as a workaround until we
>> could identify the problematic piece of hardware.
>
>this is a server option, not a client option. did you have to set this on
>your recursive servers, because HW between them and your clients was
>problematic?
>
>If you did find the culprit, can you tell us who was it?

i would assume a firewall somewhere between the server and clients doing
things like protocol inspection or "fixups" based on outdated BCPs.  i've
encountered that numerous times myself.  one more reason the oarc reply
size test is useful.

https://www.dns-oarc.net/oarc/services/replysizetest/

http://www.cisco.com/web/about/security/intelligence/dnssec.html#11

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to