Re: packet too big

>
>
> Michael Varre wrote:
> > > I noticed that when using my name servers as a resolver I cannot get
> > > to several yahoo sites. I dug in and noticed a message is getting
> > > logged on the firewall that the packet is over 512 bytes (this is the
> > > answer packet).
> > > The answer seems to be coming directly from yahoo's name servers. I
> > > have included captures. One is from an answer I receive from
> > > roadrunner ns and the other is from one of my resolvers. There is
> > > clearly more data at the end of mine, however I have no clue why it is
> > > there from my server rather than others.
> > >
> > >
> > >
> > > Any ideas on this problem would be greatly appreciated! Thanks!
>
> As you have noticed this is a firewall issue and is best addressed
> at that point in the chain. On my PIX we do this
>
> fixup protocol dns maximum-length 1024

I suggest that you make this

fixup protocol dns maximum-length 4096

as named advertises a 4k UDP buffer. The point of the
control is to allow you to set the firewall to match what
your nameservers are advertising. The current default
and recommended size is 4096.

RFC 2671: Extension Mechanisms for DNS (EDNS0)

9.3:
1432. [func] The advertised EDNS UDP buffer size can now be set
via named.conf (edns-udp-size).

8.4:
1534. [func] The advertised EDNS UDP buffer size can now be set
via named.conf (edns-udp-size).

Mark

> Check your docs for what you need to do to let EDNS0 packets get through
> the firewall.
> - Joel
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org