Monday, March 11, 2013

An Issue of Resolve

Running ISC's bind can be liberating, allowing you to do interesting things, but it can also be frustrating.  I don't know that this is actually an issue with Bind, or with DNS in general.  But definitely, you can see the issues with bind.  The two most common weird issues I have run into relate to IPv6 and eDNS.  Well and primarily IPv6 and eDNS in networks not fully prepared for either (shame on me).

For IPv6 issues, really the simple answer is to turn off IPv6 on your name server.  Debian's more recent versions of bind allow for the addition of a '-4' command line flag, most easily facilitated by editing /etc/default/bind9 to add that commandline option.  You can also turn off IPv6 on the machine in question.  Or *gasp* get yourself fully on IPv6.

If the problem isn't that you are resolving IPv6 addresses that are going no where, the next likely culprit is eDNS.  eDNS and it's ilk cause larger than normal DNS response packets.  Large enough that some routers, firewalls, NAT devices, etc. don't know how to handle those packets and DNS resolution breaks.  If you have effective logging you will see messages like "success resolving '' (in ''?) after reducing the advertised EDNS UDP packet size to 512 octets"

To test where eDNS is going amiss, you can use the following commands:
dig +norec +dnssec
dig +dnssec +norec +ignore dnskey se

The first tests if eDNS packets larger than 512 bytes work, while the second tests if everything can handle IP fragmentation.  If the first fails, you need to disable edns.  If the first succeeds and the second fails, you need to limit the edns packet size to prevent fragmentation.  The bind option edns-udp-size can help with both:
edns-udp-size 512; or
edns-udp-size 1460;

1 comment: