Name Resolve

Thu Mar 15 12:13:50 UTC 2007

Thank you again Stefan,
I've configured our PIX firewall long time back to the defualt value that 
BIND uses for EDNS packets
and after a while to elemenate the firewall from this mystery I completely 
removed the DNS inspection on the firewall.
the edns size option is not the issue i believe, and i have also tried it.
weiredly enough sometimes i get the same error and by issuing the "rndc 
flush" the server starts resolving the troubled domain again.

----- Original Message ----- 
From: "Stefan Puiu" <stefan.puiu at gmail.com>
To: "Wael Shahin" <wael.shahin at gmail.com>
Cc: <bind-users at isc.org>
Sent: Thursday, March 15, 2007 2:13 PM
Subject: Re: Name Resolve

> On 3/15/07, Wael Shahin <wael.shahin at gmail.com> wrote:
>> Well, the other server is views and it is not complex at all
>>
>> options {
>>         directory "/var/named/";
>>         dump-file "/var/named/data/cache_dump.db";
>>         statistics-file "/var/named/data/named_stats.txt";
>>         version "Get Lost";
>>         datasize default;
>>         querylog no;
>>         recursive-clients 30000;
>>         edns-udp-size 512;
>
>           ^^^^
> This is one difference that sticks out - it's a workaround for
> firewalls blocking DNS packets bigger than 512 bytes. If your firewall
> has that problem and you can't replace or fix it, you can use this as
> a workaround on your first server, too.
>
> IIRC, you can check whether it's your case using dig. Quoting from an
> older mail by Mark Andrews (you can find it in the list archives -
> http://marc.info/?l=bind-users&m=110479849321451&w=2):
>
>> > You can determine if the firewall is misconfigured if you get
>> > a response to the first query and not to the second query.
>> >
>> > dig soa com +norec @a.root-servers.net
>> > dig soa com +norec +bufsize=1024 @a.root-servers.net
>
>
>>         pid-file "/var/named/named.pid";
>>         /*
>>          * If there is a firewall between you and nameservers you want
>>          * to talk to, you might need to uncomment the query-source
>>          * directive below.  Previous versions of BIND always asked
>>          * questions using port 53, but BIND 8.1 uses an unprivileged
>>          * port by default.
>>          */
>>          // query-source address * port 53;
>> };
>>
>>
>> View 1
>> acl internal { 192.168.0.0/16; };
>> view "internal" {
>>         match-clients { internal; };
>>         recursion yes;
>>
>>
>>
>> >>
>> >>
>> >>
>> 