Name Resolve
Wael Shahin
wael.shahin at gmail.com
Thu Mar 15 12:13:50 UTC 2007
Thank you again Stefan,
I've configured our PIX firewall long time back to the defualt value that
BIND uses for EDNS packets
and after a while to elemenate the firewall from this mystery I completely
removed the DNS inspection on the firewall.
the edns size option is not the issue i believe, and i have also tried it.
weiredly enough sometimes i get the same error and by issuing the "rndc
flush" the server starts resolving the troubled domain again.
----- Original Message -----
From: "Stefan Puiu" <stefan.puiu at gmail.com>
To: "Wael Shahin" <wael.shahin at gmail.com>
Cc: <bind-users at isc.org>
Sent: Thursday, March 15, 2007 2:13 PM
Subject: Re: Name Resolve
> On 3/15/07, Wael Shahin <wael.shahin at gmail.com> wrote:
>> Well, the other server is views and it is not complex at all
>>
>> options {
>> directory "/var/named/";
>> dump-file "/var/named/data/cache_dump.db";
>> statistics-file "/var/named/data/named_stats.txt";
>> version "Get Lost";
>> datasize default;
>> querylog no;
>> recursive-clients 30000;
>> edns-udp-size 512;
>
> ^^^^
> This is one difference that sticks out - it's a workaround for
> firewalls blocking DNS packets bigger than 512 bytes. If your firewall
> has that problem and you can't replace or fix it, you can use this as
> a workaround on your first server, too.
>
> IIRC, you can check whether it's your case using dig. Quoting from an
> older mail by Mark Andrews (you can find it in the list archives -
> http://marc.info/?l=bind-users&m=110479849321451&w=2):
>
>> > You can determine if the firewall is misconfigured if you get
>> > a response to the first query and not to the second query.
>> >
>> > dig soa com +norec @a.root-servers.net
>> > dig soa com +norec +bufsize=1024 @a.root-servers.net
>
>
>> pid-file "/var/named/named.pid";
>> /*
>> * If there is a firewall between you and nameservers you want
>> * to talk to, you might need to uncomment the query-source
>> * directive below. Previous versions of BIND always asked
>> * questions using port 53, but BIND 8.1 uses an unprivileged
>> * port by default.
>> */
>> // query-source address * port 53;
>> };
>>
>>
>> View 1
>> acl internal { 192.168.0.0/16; };
>> view "internal" {
>> match-clients { internal; };
>> recursion yes;
>>
>>
>>
>> >>
>> >>
>> >>
>>
More information about the bind-users
mailing list