Re: query about EDNS UDP Packet
-Original Message- From: Gaurav Kansal Date: Wednesday, January 9, 2013 12:34 AM To: Sten Carlsen , "bind-users@lists.isc.org" Subject: Re: query about EDNS UDP Packet >Thanks for help. >My Firewall was dropping packet size larger than 512 bytes. >Cisco 5580 having ASA 8.3. It is by default blocking my EDNS0 Packet. This should be a FAQ. :-) For anyone else who happens to be reading the archives -- googling for "cisco edns0" will lead to a lot of useful information...better than duplicating it all here. Many older network devices (including Cisco) had default policies which assumed a 512 byte limit. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query about EDNS UDP Packet
Hi Team, Thanks for help. My Firewall was dropping packet size larger than 512 bytes. Cisco 5580 having ASA 8.3. It is by default blocking my EDNS0 Packet. Thanks and Regards, Gaurav Kansal On 12/31/12, Sten Carlsen wrote: > > > > > With the replies you have shown, the limitation is very likely within your > own walls. > > While it is possible that some router on the path between you and the test > server limits the packet size, I would say it is very likely not the case, > much less than 1% propability - according to my experience. > > I would use a sniffer along the path between each switch/router/firewall/xx > until you either don't see the longer edns0 packets or some other evidence > (could be some ICMP message) shows you that this is the place. > > I would also search for keywords like: DNS EDNS0 truncate. > > Good hunting. > > > On 31/12/12 15:07, Phil Mayers wrote: > > > > On 12/31/2012 10:54 AM, Gaurav Kansal wrote: > > > > > I just want to test whether this limit is within my organization. > > > > > > Is any method available by which I can check this? > > > > > > > > > > > > https://www.dns-oarc.net/oarc/services/replysizetest > > > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > > > -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE > MANURE!!!" > > > > -- Thanks n Regards, GAURAV KANSAL 9910118448 Operation And Routing Unit NIC , NEW DELHI Happy New Year 2013. Please don't print this e-mail until & unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query about EDNS UDP Packet
With the replies you have shown, the limitation is very likely within your own walls. While it is possible that some router on the path between you and the test server limits the packet size, I would say it is very likely not the case, much less than 1% propability - according to my experience. I would use a sniffer along the path between each switch/router/firewall/xx until you either don't see the longer edns0 packets or some other evidence (could be some ICMP message) shows you that this is the place. I would also search for keywords like: DNS EDNS0 truncate. Good hunting. On 31/12/12 15:07, Phil Mayers wrote: > On 12/31/2012 10:54 AM, Gaurav Kansal wrote: >> I just want to test whether this limit is within my organization. >> >> Is any method available by which I can check this? >> > > > https://www.dns-oarc.net/oarc/services/replysizetest > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query about EDNS UDP Packet
On 12/31/2012 10:54 AM, Gaurav Kansal wrote: I just want to test whether this limit is within my organization. Is any method available by which I can check this? https://www.dns-oarc.net/oarc/services/replysizetest ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: query about EDNS UDP Packet
I just want to test whether this limit is within my organization. Is any method available by which I can check this? Regards, Gaurav Kansal From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Sten Carlsen Sent: Monday, December 31, 2012 4:02 PM To: bind-users@lists.isc.org Subject: Re: query about EDNS UDP Packet It means that something in your path limits packet size. That could likely be a firewall or router with a "helpful" function to pass DNS packets on; only it thinks that a DNS packet can only be 512 bytes long. On 31/12/12 10:49, Gaurav Kansal wrote: Hello Team, I am getting too many entries for reducing the EDNS Packet size to 512 bytes in my log file. For Eg: Dec 31 03:07:20 IPv6-DNS named[3769]: success resolving 'dns1.vps.net/A' (in 'vps.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:21 IPv6-DNS named[3769]: success resolving 'ad.metanetwork.com/A' (in 'metanetwork.com'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:25 IPv6-DNS named[3769]: success resolving 'geo.admetanetwork.com/A' (in 'admetanetwork.com'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving 'tomcat.apache.org/A' (in 'apache.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving 'www.apache.org/A' (in 'apache.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving 'issues.apache.org/A' (in 'apache.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/A' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns2.surfnet.nl/' (in 'surfnet.nl'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns2.surfnet.nl/A' (in 'surfnet.nl'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving './NS' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:40 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/A' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:40 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets On googling for this, I got to know that this come when remote DNS Server doesn't support EDNS0 (i.e., packet size upto 4096 bytes). Now I want to know whether my DNS Server supports EDNS0 for incoming request or not. I use the 'OARC's DNS Reply Size Test Server' for the same and I got the below mentioned O/P: #dig +short rs.dns-oarc.net txt rst.x476.rs.dns-oarc.net. rst.x450.x476.rs.dns-oarc.net. rst.x490.x450.x476.rs.dns-oarc.net. "Tested at 2012-12-31 09:40:11 UTC" "164.100.1.206 sent EDNS buffer size 4096" "164.100.1.206 DNS reply size limit is at least 490" Does this mean that my server is not supporting EDNS0 ??? Thanks and Regards, Gaurav Kansal Mob - 9910118448 Happy New Year 2013. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query about EDNS UDP Packet
It means that something in your path limits packet size. That could likely be a firewall or router with a "helpful" function to pass DNS packets on; only it thinks that a DNS packet can only be 512 bytes long. On 31/12/12 10:49, Gaurav Kansal wrote: > > Hello Team, > > > > I am getting too many entries for reducing the EDNS Packet size to 512 > bytes in my log file. > > For Eg: > > > > Dec 31 03:07:20 IPv6-DNS named[3769]: success resolving > 'dns1.vps.net/A' (in 'vps.net'?) after reducing the advertised EDNS > UDP packet size to 512 octets > > Dec 31 03:07:21 IPv6-DNS named[3769]: success resolving > 'ad.metanetwork.com/A' (in 'metanetwork.com'?) after reducing the > advertised EDNS UDP packet size to 512 octets > > Dec 31 03:07:25 IPv6-DNS named[3769]: success resolving > 'geo.admetanetwork.com/A' (in 'admetanetwork.com'?) after reducing the > advertised EDNS UDP packet size to 512 octets > > Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving > 'tomcat.apache.org/A' (in 'apache.org'?) after reducing the advertised > EDNS UDP packet size to 512 octets > > Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving > 'www.apache.org/A' (in 'apache.org'?) after reducing the advertised > EDNS UDP packet size to 512 octets > > Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving > 'issues.apache.org/A' (in 'apache.org'?) after reducing the advertised > EDNS UDP packet size to 512 octets > > Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving > 'ns1.zurich.surf.net/A' (in 'surf.net'?) after reducing the advertised > EDNS UDP packet size to 512 octets > > Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving > 'ns2.surfnet.nl/' (in 'surfnet.nl'?) after reducing the advertised > EDNS UDP packet size to 512 octets > > Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving > 'ns2.surfnet.nl/A' (in 'surfnet.nl'?) after reducing the advertised > EDNS UDP packet size to 512 octets > > Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving > 'ns1.zurich.surf.net/' (in 'surf.net'?) after reducing the > advertised EDNS UDP packet size to 512 octets > > Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving './NS' (in > '.'?) after reducing the advertised EDNS UDP packet size to 512 octets > > Dec 31 03:07:40 IPv6-DNS named[3769]: success resolving > 'ns1.zurich.surf.net/A' (in 'surf.net'?) after reducing the advertised > EDNS UDP packet size to 512 octets > > Dec 31 03:07:40 IPv6-DNS named[3769]: success resolving > 'ns1.zurich.surf.net/' (in 'surf.net'?) after reducing the > advertised EDNS UDP packet size to 512 octets > > > > On googling for this, I got to know that this come when remote DNS > Server doesn't support EDNS0 (i.e., packet size upto 4096 bytes). > > > > Now I want to know whether my DNS Server supports EDNS0 for incoming > request or not. > > I use the '*OARC's DNS Reply Size Test Server' *for the same and I got > the below mentioned O/P: > > > > #dig +short rs.dns-oarc.net txt > > rst.x476.rs.dns-oarc.net. > > rst.x450.x476.rs.dns-oarc.net. > > rst.x490.x450.x476.rs.dns-oarc.net. > > "Tested at 2012-12-31 09:40:11 UTC" > > "164.100.1.206 sent EDNS buffer size 4096" > > "164.100.1.206 DNS reply size limit is at least 490" > > > > Does this mean that my server is not supporting EDNS0 ??? > > > > > > Thanks and Regards, > > Gaurav Kansal > > Mob -- 9910118448 > > > > Happy New Year 2013. > > IPv4 is Over, > > Are your ready for new Network. > > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
query about EDNS UDP Packet
Hello Team, I am getting too many entries for reducing the EDNS Packet size to 512 bytes in my log file. For Eg: Dec 31 03:07:20 IPv6-DNS named[3769]: success resolving 'dns1.vps.net/A' (in 'vps.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:21 IPv6-DNS named[3769]: success resolving 'ad.metanetwork.com/A' (in 'metanetwork.com'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:25 IPv6-DNS named[3769]: success resolving 'geo.admetanetwork.com/A' (in 'admetanetwork.com'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving 'tomcat.apache.org/A' (in 'apache.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving 'www.apache.org/A' (in 'apache.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:31 IPv6-DNS named[3769]: success resolving 'issues.apache.org/A' (in 'apache.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/A' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns2.surfnet.nl/' (in 'surfnet.nl'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns2.surfnet.nl/A' (in 'surfnet.nl'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:34 IPv6-DNS named[3769]: success resolving './NS' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:40 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/A' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 31 03:07:40 IPv6-DNS named[3769]: success resolving 'ns1.zurich.surf.net/' (in 'surf.net'?) after reducing the advertised EDNS UDP packet size to 512 octets On googling for this, I got to know that this come when remote DNS Server doesn't support EDNS0 (i.e., packet size upto 4096 bytes). Now I want to know whether my DNS Server supports EDNS0 for incoming request or not. I use the 'OARC's DNS Reply Size Test Server' for the same and I got the below mentioned O/P: #dig +short rs.dns-oarc.net txt rst.x476.rs.dns-oarc.net. rst.x450.x476.rs.dns-oarc.net. rst.x490.x450.x476.rs.dns-oarc.net. "Tested at 2012-12-31 09:40:11 UTC" "164.100.1.206 sent EDNS buffer size 4096" "164.100.1.206 DNS reply size limit is at least 490" Does this mean that my server is not supporting EDNS0 ??? Thanks and Regards, Gaurav Kansal Mob - 9910118448 Happy New Year 2013. IPv4 is Over, Are your ready for new Network. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users