Page 1 of 1
EDNS UDP packets > 512 octets
Posted: 17 Jan 2014, 20:28
by nvnet
I'm seeing syslog entries several times per day from bind9 along the lines of
Code: Select all
success resolving 'whateverdomain/A' (in 'whateverdomain?) after reducing the advertised EDNS UDP packet size to 512 octets.
Apparently I'm not allowed to post links, but a post on the ISC forum indicates we are probably not permitting UDP > 512 bytes through the firewall.
Re: EDNS UDP packets > 512 octets
Posted: 17 Jan 2014, 21:20
by ForumAdmin
In our experience it's usually a local net work router causing the problem, rather than an iptables firewall. Try the following with csf enabled and csf disabled:
Code: Select all
dig @127.0.0.1 +short rs.dns-oarc.net txt
Note the results. Then:
Code: Select all
cxs -x
dig @127.0.0.1 +short rs.dns-oarc.net txt
Then re-enable cxs:
You'll likely find that you get the same results, indicating a local network restriction rather than with the csf configured firewall:
https://www.dns-oarc.net/oarc/services/replysizetest/
Almost all servers that we test give the following result with or without csf enabled:
Code: Select all
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"85.13.195.235 sent EDNS buffer size 4096"
"85.13.195.235 DNS reply size limit is at least 3843 bytes"