Troubleshooting slow DNS lookup

Wed Dec 8 10:31:02 UTC 2010

In message <AANLkTimS2mFbib5LPdpqYaRc8Ds1GG4dB7b2tEa=BnZa at mail.gmail.com>, Rian
to Wahyudi writes:
> Hi Mark,
> 
> Thanks for your quick response !
> 
> > Standards Track.
> > RFC 2671 Extension Mechanisms for DNS (EDNS0)
> > RFC 3226 DNSSEC and IPv6 A6 aware server/resolver message size requiremen=
> ts
> 
> Unfortunately RFC is not considered as good enough ... unless if we
> can find an actual proof that can be replicated :(
> 
> I also done some dnssec trace demonstration, and it still not a good
> enough reason :
> ie : dig www.anyhostname.com +trace +dnssec .
> This test always fail and it produce FWSM log entry similar to:
> : %FWSM-2-106007: Deny inbound UDP from 198.142.0.51/53 to
> 10.0.0.1/64788 due to DNS Response

I also suggest that you ask your firewall people to talk to the
CISCO TAC about how to properly configure the firewall for a
nameserver that supports EDNS.  The defaults are not setup for a
nameserver that supports EDNS.

If they don't want to do that read what CISCO recommends here:

	https://supportforums.cisco.com/message/3221565#3221565

> > Informational.
> > RFC 4294 IPv6 Node Requirements
> >
> > http://labs.ripe.net/Members/anandb/content-testing-your-resolver-dns-rep=
> ly-size-issues
> >
> 
> 
> > How about the root servers?
> >
> >> - Any example of dns record that send packet larger than 512 ?
> >
> > The root servers.
> >
> > =A0 =A0 =A0 =A0dig +dnssec dnskey .
> 
> This for some reason .... works without any problem  :

Well if you ask the root servers ....

	dig +dnssec dnskey . @a.root-servers.net

With just "dig +dnssec dnskey ." you are talking to your own server so
are not going through the firewall.  You will also notice it took 1/2
a second to get that answer so named did several different attempts in
that 1/2 second.

> ;; Query time: 547 msec

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org