forwarders not falling back to tcp
Mark Andrews
Mark_Andrews at isc.org
Wed Dec 1 21:41:24 UTC 2004
> Hi,
>
> I have a number of nameservers which are within a DMZ and are using
> external nameservers for all external resolution. The configuration
> is as follows
>
> options {
> forwarders { 81.82.11.4; 81.82.11.7; };
>
> forward only;
>
> edns-udp-size 512;
> };
>
> For some reason the firewall between the internal and external nameservers
> stopped forwarding UDP dns requests, but TCP connections could still be
> made. But somehow bind-9.2.1 and bind-9.3.0 do not seem to try using TCP
> when used in this setup.
Well the above will not work with 9.2.1. edns-udp-size is
new to 9.3.0 (back ported to 8.3.x/8.4.x).
> Is this expected behaviour or a bug? This also creeps up for edns
> packets I had to limit the advertised edns packet size to 512 bytes
> (due to, again, pix configuration issues), as bind does not seem to
> retry these via TCP either if the response requires more than 512 bytes.
named only tries via TCP if it recieves a answer via UDP with
TC set. If you block that answer then it will assume the nameserver
is down.
> Any work around, other then fixing the pix?
Fix the broken firewall. edns-udp-size is only there to
allow the nameserver to work while you get the firewall
fixed. The bigger answers that EDNS supports are needed
to ensure that referrals return all the possible glue.
> Thanks,
>
> -Ed
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list