Hello,
Marc Hauswirth wrote:
Thanks for the information, but did you/someone notice any side effects of "minimal-responses" ?
I found the following posts on the topic
http://blog.pantek.com/opensores/labels/minimal-responses.html http://archive.netbsd.se/?ml=bind-users&a=2007-06&t=4487849 https://lists.isc.org/pipermail/bind-users/2005-February/055443.html
http://forums.theplanet.com/lofiversion/index.php/t85037.html http://directadmin.com/forum/showthread.php?t=25532
Per Jessen wrote:
/ I can't quite see how that would be correct. When a resolver issues a
/>/ query with UDP, it will expect a reply (minimal or not) via UDP. Only />/ if it does not get a useful answer via UDP will it change and try a />/ TCP query. />
Ah, I see that is exactly what you meant. I guess some bandwidth could be saved, but I wonder if it's worth bothering unless your DNS server is about to croak from load.
That the point we had our DNS servers very busy because it keep on receiving invalid TCP DNS SYN win=0 then a RST from all our Colubris when the cache DNS is enabled. Colubris seems to have a bug with TCP DNS triggered by users using Google Safe Browsing (Firefox 3, Chrome, etc).
netstat -sn "152891264 resets received for embryonic SYN_RECV sockets"
The workaround was to enable minimal-responses so the reply of safebrowsing-cache.google.com fit in an UDP packet and keep the cache from trying with TCP.
When the client has issued a TCP query, any half-way decent firewall will know not to block the reply.
We didn't have any issue with filtering only with the DoS of SYN coming from all our Colubris to our main firewall. We reach
I talk about blocking on Firewall because I found a post related to the issue. http://www.divideandconquer.se/2009/06/25/firefox-30-freezes-waiting-to-reso...
Best Regards, Guy Baconniere