On Thu, 2011-09-15 at 15:49 +0300, Jarmo Hurri wrote: > First, thank you for your very quick response, Dan. It helped a lot - at > least in figuring out what the underlying causes could be.
I'd like to throw in another (remotely) possible cause that cost me several days to figure out. UDP Checksums and validation. We had a DNS Server inside a firewall (Cisco FWSM running 2.3.x) that did conditional zone forwarding to a set of DNS-Servers on the outside thereof. That firewall had the feature "fixup DNS" active, so that it could inspect udp/53 traffic for DNS lookups and replies, and once the reply would arrive, it could instantly remove translation and connection structs from it's tables and memory, so it would not have to keep them until the "general UDP timeout" (i think it was 300s) would expire. Problem was this: this "fixup" feature messed up the UDP checksum on the _first_ outgoing datagram of a given DNS "connection", but not on the subsequent ones [1]. As it ultimately turned out, the remote DNS server did perform incoming UDP checksum validation, and therefore discarded the first, but not the subsequent datagrams. Only if our local DNS server retransmitted a second query, it instantly got an answer. So you might want to investigate if... - the windows machines that get fast answers do send UDP checksums at all - if your machine fills in the UDP checksum when running with dnsmasq - if your machine fills in the UDP checksum when running without dnsmasq - if DNS datagrams leaving your network have valid UDP checksums - if either set of the fast/slow servers do UDP checksum validation on incoming datagrams (while accepting datagrams that don't have a checksum) - if DNS datagrams arriving at the remote DNS server still have valid UDP checksums.[2] regards Marc [1] turning off "fixup DNS" was the solution. UDP checksums were correct afterwards. [2] it took quite a bit of negotiation until the DNS Admins were willing to run tcpdump on their machines to see why our first DNS datagrams were discarded... _______________________________________________ networkmanager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
