[f-nsp] IP fragmentation on a ServerIron?
David Miller
dmiller at metheus.org
Mon Jan 3 12:36:15 EST 2011
Rev: 10.2.01oTI4
I'm having 'intermittent' problems resolving paypal addresses. Paypal
support suggests in https://ppmts.custhelp.com/app/answers/detail/a_id/907
"If your firewalls are not standards compliant you may experience
intermittent timeouts and slow response times resolving *.paypal.com
domain names.
The problem is defined as intermittent response to DNS queries for
paypal.com and is centric to the merchant's router/firewall
infrastructure and their ability to handle larger UDP/DNS responses.
In these scenarios, the device is dropping the packet, and, because of
UDP, there is no retransmit. Due to the nature of the DNS client, it
tries a second (or more) time and at some point is successful. "
Our SI is configured to allow TCP and UDP on port dns without size
restriction. Our DNS server is an up-to-date debian installation: with
the DNSSEC RFS'c dating to 1999 and 2005 I can't imagine our version of
bind is incompatible.
The thing I'm not clear on is whether the SI's allow fragmented packets
by default or not.
Help appreciated, especially if you've solved the paypal intermittent
timeout issue.
--- David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20110103/a6801e1d/attachment.html>
More information about the foundry-nsp
mailing list