Today, in one of my servers, I’ve noticed in the syslog a lot of “named’s” records complaining about a ‘reduction of … bla bla … EDNS UDP … bla bla …’
here is the text : “… after reducing the advertised EDNS UDP packet size to 512 octets”
Googling around I’ve found here something that looked like the solution… and it was!
Seems that it’s a misconfigured firewall/NAT, which does not allow the transition of packets more than 512 bytes or IP fragmentation using DNS protocol.
In order to discover and fix the problem I’ve performed the following steps :
1) Test firewall/router packet support more than 512 bytes
“dig +norec +dnssec example.com @a.root-servers.net”
2) Test if IP packets fragmentation it’s allowed
“dig +dnssec +norec +ignore dnskey se @A.NS.se”
Above queries will timeout if the problem occurred.
3) Now, depending by your configuration, you’ve to check your network plan and investigate in order to solve the problem.
In my scenario I’ve a CISCO PIX501 and by default it sets the DNS packet size to 512 bytes.
To fix up my situation I’ve had to open the configuration panel and in “System Properties -> Advanced -> Fixup -> DNS” I’ve set to 0 (zero) the packet size.