RE: packet too big

On Fri, 2004-07-09 at 10:46, Michael Varre wrote:
> > -----Original Message-----
> > From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
> > Behalf Of Joel
> > Sent: Friday, July 09, 2004 10:43 AM
> > To: Michael Varre
> > Cc: bind-users@isc.org
> > Subject: Re: packet too big
> >
> >
> >
> > Michael Varre wrote:
> > > > I noticed that when using my name servers as a resolver I cannot get
> > > > to several yahoo sites. I dug in and noticed a message is getting
> > > > logged on the firewall that the packet is over 512 bytes (this is the
> > > > answer packet).
> > > > The answer seems to be coming directly from yahoo's name servers. I
> > > > have included captures. One is from an answer I receive from
> > > > roadrunner ns and the other is from one of my resolvers. There is
> > > > clearly more data at the end of mine, however I have no clue why it is
> > > > there from my server rather than others.
> > > >
> > > >
> > > >
> > > > Any ideas on this problem would be greatly appreciated! Thanks!
> >
> > As you have noticed this is a firewall issue and is best addressed
> > at that point in the chain. On my PIX we do this
> >
> > fixup protocol dns maximum-length 1024
> >
> > Check your docs for what you need to do to let EDNS0 packets get through
> > the firewall.
> > - Joel
> >
>
>
> Joel,
> Well yes that is one possibility. However it seems to me that there is no
> good reason for the packet to be larger than 512bytes - 512 is pretty
> standard. I don't see how my setup could be different from most other
> servers on the net.
>
> mv

I suggest that you are blocking tcp packets which are used when the
returned information is larger than a udp packet.
--
G. Roderick Singleton <gerry@pathtech.org>
PATH tech