Bind DNS problem after upgrade

Yesterday I upgraded one my laptops from Ubuntu Hardy to Ubuntu Jaunty. I never got around to upgrading this machine as it is one of my more important machines in my home network. It runs a mail server for sending all mail and POP for local mail (Postfix + Dovecot), DNS (Bind), Torrent seedbox, central syslog server.
After the upgrade, which didn’t really go smoothly but that is besides the point of this post, I was having problems on my work laptop browsing the net, my RSS feeder was acting up etc.

I quickly determined it had to do with name resolving, what else could it be if your browser says www.cnn.com is a unknown server!

I checked my syslog and found several of the following lines:

named[8026]: too many timeouts resolving 'www.netscape.com/A' (in '.'?): disabling EDNS
named[8026]: too many timeouts resolving 'www.ietf.org/A' (in '.'?): disabling EDNS
named[8026]: too many timeouts resolving 'www.robotstxt.org/A' (in '.'?): disabling EDNS
named[8026]: too many timeouts resolving 'www.netscape.com/A' (in '.'?): disabling EDNS
named[8026]: too many timeouts resolving 'www.ietf.org/A' (in '.'?): disabling EDNS
named[8026]: too many timeouts resolving 'www.robotstxt.org/A' (in '.'?): disabling EDNS
named[8026]: too many timeouts resolving 'www.netscape.com/A' (in '.'?): disabling EDNS
named[8026]: too many timeouts resolving 'www.ietf.org/A' (in '.'?): disabling EDNS
named[8026]: too many timeouts resolving 'www.robotstxt.org/A' (in '.'?): disabling EDNS

During the OS upgrade Bind also was upgraded to version 9.5. This version is setup for EDNS.

EDNS is the name for Extension mechanism for DNS. Basically they wanted to add more functionality to the DNS protocol, it is essential for DNSSEC (DNS Security Extensions)
DNS Packets are transported over UDP and have a length of 512 bytes. They didn’t want to go to TCP packets as this would increase the overhead.

Free Quoting Wikipedia on the mechanism they use:

Since no new flags could be added in the DNS header, the differentiation of the new protocol extensions format was achieved with optional pseudo resource records, the OPT resource records. These are wire-only control records not appearing in any zone files. DNS endpoints insert these optional records in the communications between peers to mark a data transfer using EDNS. This provides a transparently backward compatible mechanism, as older clients without EDNS support simply ignore the new record type. DNS participants should only send EDNS requests to a DNS server if they are prepared to accept a EDNS response. Unless a client request contains an OPT record, DNS servers should not send EDNS responses.

The OPT pseudo record provides space for up to 16 additional flags and it extends the space for the response code. The overall size of the UDP packet and the version number (at present 0) are contained in the OPT record. A variable length data field allows further information to be registered in future versions of the protocol. The original DNS protocol provided two label types, which are defined by the first two bits in DNS packets (RFC 1035): 00 (standard label) and 11 (compressed label). EDNS introduces the label type 01 as extended label. The lower 6 bits of the first byte may be used to define up to 63 new extended labels.

The result of the implementation is UDP packets that are over 512 bytes and here in lies the problem. If you have an old firewall the firewall firmware is not designed to handle UDP packets that are bigger, it consequently drop them.

in my DNS setup I have three forwarders to my ISP’s DNS servers and apparently somewhere between my DNS server and their DNS servers the new UDP packets are being dropped.

The solution is fairly easy. In your DNS setup, either in your view options or your global options you need to add the following line:

edns-udp-size 512;
This article is filed under the categories Miscellaneous » Ubuntu and has the following tags associated with it: , , , , .
  • Im due to upgrade alot of servers in the coming month to jaunty and dreading errors like this, thanks for the info could come in handy.

    • What services are you running on your servers?

download