Andrew Wood <aw...@comms.org.uk> wrote: Hi,
> I have a server which acts as a DNS server for our LAN. All our internal > servers have A records on it using a .local domain and it forwards all > other requests out to the root servers using the in built list provided > with BIND. All clients on the LAN have this machine set as their only > DNS server. > > > It has worked fine for 6 years under Wheezy but I have just upgraded it > to Stretch. I did an upgrade to Jessie first, rebooted checked > everything was OK, and then immediately upgraded to Stretch. > > Since then we keep getting intermittent DNS lookup failures for various > domains on the internet, which will typically work if you click the > refresh button in the browser a few times. > > BIND seems to just log to syslog/systemd it doesnt appear to be > configured to use its own log. If I run journalctl -xe | grep "named" I > can get the log entries but none of them relate to the failed DNS > lookup. If I do it immediately after a failure has occured nothing is > logged so Im at a bit of a loss to work out what might be wrong. > > > Does anyone have any ideas please? Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large packets. You might have an issue with UDP fragments being dropped at your firewall/NAT Gateway? https://www.dns-oarc.net/oarc/services/replysizetest You can try to set edns-udp-size 1200; in your options {} block if you see issues there. Bernhard