packet too big

Michael Varre bind9 at kishmish.com
Fri Jul 9 15:08:20 UTC 2004 

Yes, they are being blocked because they are larger than 512 bytes - I just
don't understand why they are that large.  Seems there should be a better
explanation than just allowing larger packets through via a fixup.

mv

> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of G. Roderick Singleton
> Sent: Friday, July 09, 2004 11:09 AM
> To: Michael Varre
> Cc: BIND List
> Subject: RE: packet too big
> 
> On Fri, 2004-07-09 at 10:46, Michael Varre wrote:
> > > -----Original Message-----
> > > From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> > > Behalf Of Joel
> > > Sent: Friday, July 09, 2004 10:43 AM
> > > To: Michael Varre
> > > Cc: bind-users at isc.org
> > > Subject: Re: packet too big
> > >
> > >
> > >
> > > Michael Varre wrote:
> > > > > I noticed that when using my name servers as a resolver I cannot
> get
> > > > > to several yahoo sites.  I dug in and noticed a message is getting
> > > > > logged on the firewall that the packet is over 512 bytes (this is
> the
> > > > > answer packet).
> > > > > The answer seems to be coming directly from yahoo's name servers.
> I
> > > > > have included captures.  One is from an answer I receive from
> > > > > roadrunner ns and the other is from one of my resolvers.  There is
> > > > > clearly more data at the end of mine, however I have no clue why
> it is
> > > > > there from my server rather than others.
> > > > >
> > > > >
> > > > >
> > > > > Any ideas on this problem would be greatly appreciated!  Thanks!
> > >
> > > As you have noticed this is a firewall issue and is best addressed
> > > at that point in the chain. On my PIX we do this
> > >
> > > 	fixup protocol dns maximum-length 1024
> > >
> > > Check your docs for what you need to do to let EDNS0 packets get
> through
> > > the firewall.
> > > - Joel
> > >
> >
> >
> > Joel,
> > Well yes that is one possibility. However it seems to me that there is
> no
> > good reason for the packet to be larger than 512bytes - 512 is pretty
> > standard.  I don't see how my setup could be different from most other
> > servers on the net.
> >
> > mv
> 
> I suggest that you are blocking tcp packets which are used when the
> returned information is larger than a udp packet.
> --
> G. Roderick Singleton <gerry at pathtech.org>
> PATH tech
>

More information about the bind-users mailing list