Troubleshooting slow DNS lookup
Rianto Wahyudi
me at rwahyudi.com
Fri Nov 26 04:23:20 UTC 2010
Hi Mark,
Thanks for the pointers , your are spot on!
Doing dig +trace +dnssec www.paypal.com always fail.
After some investigation with the network guys, it appear that our upstream
firewall are dropping DNS UDP packet larger than 512.
Cisco FWSM have this configuration enabled by default :
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/i2.html#wp1565355
Once again thanks for the help!
Regards,
Rianto Wahyudi
> You need to mimic the nameserver more closely and turn on +dnssec.
>
> dig +trace +dnssec www.paypal.com
>
> I suspect you have a firewall that is blocking the larger replies +dnssec
> produces. Named will work around this by adjustting the queries it makes
> but that requires timouts and hence the longer resolution time.
>
> Mark
>
> > --===============2929699010037471745==--
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101126/021b9190/attachment.html>
More information about the bind-users
mailing list