DNS packet size -- what's the correct size
Rob Tanner
rtanner at linfield.edu
Sun Sep 30 20:50:46 UTC 2007
Thanks to all who replied. It's odd that my O'Reilly DNS book still
lists 512 bytes as the max size. From the comments I got, I've asked
our network manager to either turn that check off entirely or set the
limit to 2048.
Again thanks.
-- Rob
On 09/30/2007 11:31 AM, dnd wrote:
> Rob:
>
> We recently dealt with the same problem after changing Bind versions
> from 8.2.7 (ancient, I know) to 8.4.7
> Turns out, since 8.3, the default EDNS size has been higher (can't
> recall if it is 1024 or 2048).
>
> In any event, the problem you describe is indeed with the Pix, but we
> did a quick fix by adding the following to our named.conf files.
>
> Add `edns-udp-size 512;' to your named.conf file as a work-around.
>
> Before this fix, our name servers were unable to resolve certain
> addresses (e.g. cluster1.us.messagelabs.com) which sent large packets.
> We have not had any further incidents after the named.conf modification.
>
> Regards,
>
> Debbie Andrews
>
>
> Rob Tanner wrote:
>
>> Hi,
>> It's my understanding that the max DNS packet size is 512 bytes and that
>> is apparently what Cisco thinks because our firewall is blocking DNS
>> packets over that size, calling them malformed. The problem is that we
>> see numerous such packets and the real puzzler is that many of them are
>> originate with core servers.
>>
>> The issue is getting serious because there are some sites for which I
>> can't resolve addresses from on campus, but use an external name server
>> and those same sites resolve perfectly. And, of course, I'm concerned
>> that this problem is related the dropping of over sized packets by the
>> firewall.
>>
>> Is Cisco's default limit too small? Can someone explain to me what
>> might be going on.
>>
>> Thanks,
>> Rob
>>
>>
>>
>>
>
>
More information about the bind-users
mailing list