dns query id not changing
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Fri Dec 17 07:13:38 UTC 2004
Adam Denenberg <straightflush at gmail.com> wrote:
> Well the issue is that that same "tuple" is coming in as the firewall
> is tearing down the connection. The firewall needs about 60ms for the
> connection to expire according to Cisco.
> I agree that there is definitely an issue with the firewall, but it
> was also my understadning the resolver used random query IDs for each
> request. Out of nowhere, the resolver appears to re-use a query ID
> that it just used in a very short span (20ms) and it confuses the
> firewall b/c the firewall has not torn down the previous connection.
> Shouldnt this behavior be somewhat consistent?
> We have an application (pam_ldap) that needs to make 3 or 4 DNS
> requests. The 3rd dns request is _always_ using the same ID as the 2nd
> DNS request and occurs in about 10ms before the firewall has torn down
> the original connection and thus causes a timeout (the FW drops it).
> I guess what i am trying to figure out is why the behavior of the
> resolver for creating a query ID is not consistent. It should either
> reuse the same one, or create totally random ones. It is doing a
> little bit of both and thus breaking the app.
As this id os a 16-bit value it will be reused fast.
Do as others suggested, fix the pix! Change vendor if needed.
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list