How to reduce the number of IP address returned when resolving a big round robin DNS entry

besnard michel mbesnard at gmail.com
Thu Nov 30 22:21:44 UTC 2006 

hi,
in fact i have to reduce it to 26 responses to have no truncated message

i've got strange behaviour of a particuliar DNS resolver on wifi mobile
the resolver wait for the other reponses (when message truncated)
and do nothing until it receives another packet containing the rest of the
other responses...!
it doesn't swith over to TCP ... !

i saw that DJBDNS send 8 reponses from a random sets of hosts... a small and
good LB  function like i want

i've to upgrade to BIND 9.3
my bind version is 9.2 and BIND 9.2 do not not supporting EDNS

i'll have to modify the inspection engine on Cisco FWSM card to allow paquet
up to 1500 byte
i'll try to make a VIP and make IOS SLB (NAT destination) to solve my
problem
and have only one IP to return ... but no one never NAT that kind of
protocol

regards,

2006/11/30,  Joseph S D Yao <jsdy at center.osis.gov>:
>
> Why was this sent to both the mailing-list address and the newsgroup
> list for the mailing list?  ;-(
>
>
> On Tue, Nov 28, 2006 at 11:03:08AM +0100, besnard michel wrote:
> ...
> > i'm facing "message truncated" bit problem ; my BIND server send back
> > 29 RRs to my DNS client. But not all my DNS client accept this bit and
> > use TCP instead (normal) ; for the moment i do not accept TCP
> > (firewalled and not load balance, need to check BIND configuration...
> > to make). So i reduce the number of entries in my big IN A round robin
> > entrie. I think it's the best solution for security : DDoS attack. So
> > i try to used UDP only for DNS client.
> ...
>
> Four things.
>
> (1) This is one reason why you must NOT block TCP port 53 in your
> firewall.
>
> (2) You should reduce the number of IP addresses.  You cannot get 29
> responses in a standard packet, and you can't make a GOOD name server
> return less than the full truth.  And if you start using a lying name
> server, you will get what you deserve - lies.
>
> (3) I was about to say something about keeping all of the names short,
> but of course in an A query there is only one name.  Skip this one.
>
> (4) EDNS allows larger packet sizes.
>
> --
> Joe Yao
> -----------------------------------------------------------------------
>    This message is not an official statement of OSIS Center policies.
>



-- 
Cdt,
Michel BESNARD

http://blog.yumanet.com
http://blog.mfl42.net
http://sweetlili.yumanet.com

More information about the bind-users mailing list