On Fri, Aug 22, 2008 at 4:18 PM, Aliet Santiesteban Sifontes <[EMAIL PROTECTED]> wrote: > Hi list I'm currently migrating our dns server to new binds releases > due to daminsky vulnerability, but I'm hitting a rock because of the > disable of edns protocol, to do this test first I disable disable the > firewall in pfsense and in the os, but still bind is not able to work > with edns protocol, the guys at isc told me this: > > "disabling EDNS" is issued when named experiences too many > timeouts to EDNS queries and named decides to give up on > EDNS and revert to plain old DNS. Now timeouts can be the > result of many things. Broken nameservers that don't respond > to EDNS queries. Firewalls that block EDNS queries. > Firewalls that block fragmented responses. Firewalls/NATs > that don't handle out of order fragments > > So, my question is?? > PFSense handles fragmented responses well??? > PFSense handles out of order fragments well??
Yes and yes. Scrub will reassemble them and pass them on. > I will send a capture I did on the dmz interface where I can see that > old plain dns queries works ok, but edns fails with a port unreachable > when using high udp ports. > Any ideas?? > Where is the unreachable coming from? Do you see it on your WAN or just the inside interface? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
