BIND 9 with views recursion issues

[FredrichManey]

On Nov 14, 4:30 pm, Mark Andrews <Mark_Andr... at isc.org> wrote:
> > I dearly love helpful responses like these.
>
> > If you noticed, the statement about bind 9 and views was in quotes. As
> > in
> > I was quoting someone else's statement - fairly obviously the person
> > that
> > would be forcing me to go back to bind 8 because "well, it worked in 8
> > so therefor the problem must be with 9".        I suggest that you run snoop and look at the DNS traffic
>         between your machines and wal-mart's both inside and outside
>         your firewall.


Mark,

Thanks. While I still haven't nailed down the exact problem, I did
narrow it down to being a problem
with the firewall, either the PAT pool being overrun [1] or it not
being able to handle the UDP packet
sizes that BIND 9 was trying to send [2]. Since it was production and
impacting (internal) customers,
we just moved them to direct 1-to-1 NAT addresses and out of the shared
PAT pool and the issues
went away.

fpsm


[1] The firewall admin thinks it was an issue with the fact that the
internal nameservers were sharing
the PAT pool on the firewall with several other (extremely chatty)
services. My brother, a network
admin, thinks it was an issue with the UDP packet sizes and the
firewall

[2] After talking with my brother, a Network/Consultant, over dinner, I
found the edns-udp-size setting
in the BIND 9 Administrator Guide
(http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html).
Given that we didn't change the firewall that these machines were
using, I don't think it was this, but
I will bring it to the firewall admin tomorrow anyway.