[dns-operations] EDNS issue

Frank Bulk frnkblk at iname.com
Fri Feb 25 00:27:49 UTC 2011 

Our ISP helpdesk has been receiving a lot of complaints about their
inability to check the weather weather.gov, specifically,
forecast.weather.gov.  Some digs showed that queries were failing, and my
BIND logs show the same:

Feb 24 18:25:12 10.20.0.100 named[2603]: too many timeouts resolving
'forecast.weather.gov/A' (in 'weather.gov'?): disabling EDNS
Feb 24 18:25:36 199.120.69.22 named[5289]: success resolving
'forecast.weather.gov/A' (in 'weather.gov'?) after reducing the advertised
EDNS UDP packet size to 512 octets
Feb 24 18:25:37 10.20.0.200 named[2583]: success resolving
'forecast.weather.gov/A' (in 'weather.gov'?) after reducing the advertised
EDNS UDP packet size to 512 octets
Feb 24 18:25:38 10.20.0.100 named[2603]: too many timeouts resolving
'forecast.weather.gov/A' (in 'weather.gov'?): disabling EDNS
Feb 24 18:25:39 199.120.69.22 named[5289]: success resolving
'radar.weather.gov/A' (in 'weather.gov'?) after reducing the advertised EDNS
UDP packet size to 512 octets
Feb 24 18:25:40 199.120.69.22 named[5289]: success resolving
'www.weather.gov/A' (in 'weather.gov'?) after reducing the advertised EDNS
UDP packet size to 512 octets
Feb 24 18:25:42 10.20.0.200 named[2583]: success resolving
'radar.weather.gov/A' (in 'weather.gov'?) after reducing the advertised EDNS
UDP packet size to 512 octets
Feb 24 18:25:42 10.20.0.100 named[2603]: too many timeouts resolving
'radar.weather.gov/A' (in 'weather.gov'?): disabling EDNS


A quick check showed the following:

	mail1:~# dig -4 +short rs.dns-oarc.net txt
	rst.x1002.rs.dns-oarc.net.
	rst.x1994.x1002.rs.dns-oarc.net.
	rst.x2495.x1994.x1002.rs.dns-oarc.net.
	"Tested at 2011-02-25 00:20:31 UTC"
	"2607:fe28:0:1003:223:7dff:fe9c:4aa5 sent EDNS buffer size 4096"
	"2607:fe28:0:1003:223:7dff:fe9c:4aa5 DNS reply size limit is at
least 2495"
	mail1:~#
	mail1:~# dig forecast.weather.gov

	; <<>> DiG 9.3.4-P1.1 <<>> forecast.weather.gov
	;; global options:  printcmd
	;; connection timed out; no servers could be reached

Does this make sense?  EDNS of size 512 shouldn't be an issue, yet all 7
*nix DNS servers (the first one is above) running BIND complain.  The first
four of the DNS servers are behind an old F5 BigIP, the others aren't.

	root at nagios:/var/log#  dig -4 +short rs.dns-oarc.net txt
	rst.x1002.rs.dns-oarc.net.
	rst.x1222.x1002.rs.dns-oarc.net.
	rst.x1403.x1222.x1002.rs.dns-oarc.net.
	"96.31.0.5 DNS reply size limit is at least 1403"
	"Tested at 2011-02-25 00:24:38 UTC"
	"96.31.0.5 sent EDNS buffer size 4096"
	root at nagios:/var/log#
	root at nagios:/var/log# dig forecast.weather.gov

	; <<>> DiG 9.5.1-P3 <<>> forecast.weather.gov
	;; global options:  printcmd
	;; connection timed out; no servers could be reached
	root at nagios:/var/log#

Any ideas?  Querying our corporate Microsoft DNS server, behind a Cisco ASA,
works fine!

Frank Bulk

More information about the dns-operations mailing list