[dns-operations] DNS large replies and Cisco's ip virtual-reassembly

Joseph S D Yao jsdy at tux.org
Tue Jan 26 14:41:16 UTC 2010


On Tue, Jan 26, 2010 at 02:45:41PM +0100, Stephane Bortzmeyer wrote:
> While working with the French Internet community on the signing of the
> root and the handling of large DNS replies, a site had problems with
> tests like <https://www.dns-oarc.net/oarc/services/replysizetest>. The
> test started to work when they configured their router Cisco 3825
> (which was located before a firewall Juniper SSG) to:
> 
> ip virtual-reassembly
> 
> Can any Cisco expert explain what it does? I assume the firewall
> cannot handle fragments and the above command forces the router to
> reassemble fragmented packets but I prefer to be sure before adding it
> to my database of "Most Common Problems with DNS large replies".


My Cisco "expertise" often comes with the help of our friend Google.
;-)  But, given that caveat ... had you seen
<http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_virt_frag_reassm.pdf>
and
<http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_vfrag.html>?
Particularly, the section:

"VFR is designed to work with any feature that requires fragment
reassembly (such as Cisco IOS Firewall and NAT). Currently, NAT enables
and disables VFR internally; that is, when NAT is enabled on an
interface, VFR is automatically enabled on that interface."


I imagine that the Juniper firewall had problems with the DNS packet
fragments, the same way the Cisco IOS firewall would.  Easier to test
packets than fragments thereof.


Are you posting your "Most Common Problems with DNS large replies" on a
Web site anywhere?


--
/*********************************************************************\
**
** Joe Yao				jsdy at tux.org - Joseph S. D. Yao
**
\*********************************************************************/



More information about the dns-operations mailing list