With the advent of EDNS0, it's now apparently pretty common for UDP dns replies to be longer than 512 bytes in size. A standard configuration of a Cisco PIX-515 is this:
policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 <snip> service-policy global_policy global What I'm asking for is feedback on whether I'll see any differences (positive or negative) WRT increasing that max from 512 to something bigger. The bind source code apparently has a hard-coded max reply of 4096, so that is probably what I would set it to myself. If I'm getting lots of replies to my DNS queries blocked by my firewalls, it stands to reason that I probably am having some services being slowed by timeouts in various manners, and I'm trying to fix it (but only if it is in fact a problem). -- Regards... Todd I seek the truth...it is only persistence in self-delusion and ignorance that does harm. -- Marcus Aurealius
_______________________________________________ LinuxUsers mailing list LinuxUsers@socallinux.org http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
