Queries to a positively cached zone are failing (phila.gov)
Jeff Reasoner
jeff.reasoner at mail.hccanet.org
Wed Mar 15 20:28:01 UTC 2006
PIX 6.3.3 and above allows udp datagrams >512 bytes. Upgrading will
require a reboot.
add something like:
fixup protocol dns maximum-length 4092
On Wed, 2006-03-15 at 15:00, Greg Chavez wrote:
> On Mar 15, 2006, at 14:52, Greg Chavez wrote:
>
> > The third thing I did was test it and the fourth thing I did was slap
> > myself again when it didn't work. Same old same old. Dig queries to
> > the phila.gov name servers work; queries by BIND time out.
> >
> > Times out: that's an important distinction. BIND doesn't get back a
> > FORMERR; the remote name server *never responds* to the query.
> >
> > These packets go through a pix firewall before they reach the wild.
>
> I and our network team are concentrating on the possibility that our
> PIX firewall, which performs minor surgery on DNS packets for NAT
> purposes, may be having trouble accepting "We don't speak EDNS"
> responses from phila.gov's name servers, which may be running BIND 4.
> If anybody else has any insight as far as PIX and EDNS goes or thinks
> we're barking up the wrong tree, please come forward. Otherwise, I'll
> close out this thread when we reach a solution.
>
>
More information about the bind-users
mailing list