External resolution timeouts
Justin Park
ng_tao at yahoo.co.kr
Fri Aug 6 02:28:18 UTC 2004
"Jason L. Cook" <jason at siliconashes.net> wrote in message news:<ceu6cu$2059$1 at sf1.isc.org>...
> Quoting Justin Park <ng_tao at yahoo.co.kr>:
>
> > Is your name server behind a firewall, especially a CheckPoint FW-1?
>
> Yes! It is behind a Checkpoint FW-1.
>
>
> > BIND 9 tries first DNS query with ENDS0 option and also CD flag set in
> > DNS message header.
> >
> > The DNS Query message with this setting would be dropped by the
> > firewall, if such SmartDefence function is enabled on CheckPoint FW-1.
> >
> > ...
> >
> > If my guessing - your name server is behind a firewall and the
> > firewall drops DNS query message - is right, the result of above
> > command will also timed out..., instead of receiving DNS response with
> > FORMERR.
>
> Looks like this is exactly the case. Good guess!
>
> What's the solution? Is there a way to configure BIND to send queries without
> the ENDS0 option and CD flags, or do you think it is better to disable the
> SmartDefence function in FW-1?
There is no way to make BIND to send the first DNS query message
without EDNS0 option and CD flag.
There is no option in configuration for this.
I had the same problem and had analyzed the source code of BIND, and
find out that this is a default operation and there is no way to
change this default operation with configuration options.
So, the unique solution is to disable SmartDefence function of FW-1,
if you have to operate your name server as a resolving name server
behind the firewall.
Just turn off the checking function on DNS messages, which is a
sub-function of SmartDefence.
Another possible solution is to turn off the recursive mode of your
name server, that is, to make your name server an authoritative-only
name server.
And put another recursive name server outside of the firewall.
Have a nice day...
Justin.
More information about the bind-users
mailing list