[dns-operations] too many round robin RR's / tcp and lookup errors?

Patrick, Robert (CONTR) Robert.Patrick at hq.doe.gov
Sun Sep 16 10:06:45 UTC 2012


DNS inspection at firewalls may be blocking the response, although this should be evident from all platforms, not just from mobile devices.

You can run a test to determine if there is something in the path restricting DNS packet sizes.
https://www.dns-oarc.net/oarc/services/replysizetest

May not be of much help on a mobile device, but you could run this from your DNS servers looking outbound toward the Internet.

dig +short rs.dns-oarc.net txt


As an example, Cisco ASA firewalls prior to version 8.3 by default limit DNS packet size to 512 bytes.

To change this limit, the configuration must be updated.

More information is listed here about maximum DNS packet sizes and Cisco firewalls:
http://www.cisco.com/web/about/security/intelligence/dnssec.html

Example fix for Cisco ASA running version 7.x:
conf t
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 4096
end
wr mem

-----Original Message-----
From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Mark Jeftovic
Sent: Saturday, September 15, 2012 9:41 PM
To: dns-operations
Subject: [dns-operations] too many round robin RR's / tcp and lookup errors?

Wondering if this is "well known" or not.

We had a problem with a customer domain, for some reason it appeared as
though mobile devices on the Wind network couldn't resolve a domain.

Then I could duplicate the problem on the rogers network.

I realized that the hostname in question was using round robin DNS, and
had enough records that the response size was over 512 bytes, thus the
truncate bit was set and the resolver is supposed to retry over TCP.

So we had them drop enough records to get the response under 512 bytes
and the problem went away.

The questions I have are is this something with specific resolvers?
(Can't handle edns truncate and TCP retries properly) - but then we'd
expect to see this on regular web browsers too. We didn't that I'm aware
of, it was all mobile devices.

So is there something in iOS and possibly other mobile devices that
can't handle a TCP response, or can't handle a TCP response over 512
bytes or something else?

Anybody else run across this sort of thing?

-mark

-- 
Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website: http://easydns.com
Read My Blog:    http://markable.com
+1-416-535-8672 ext 225
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



More information about the dns-operations mailing list