From owner-freebsd-stable Wed Dec 4 17:37:54 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 76BF637B401 for ; Wed, 4 Dec 2002 17:37:52 -0800 (PST) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 093C343E4A for ; Wed, 4 Dec 2002 17:37:51 -0800 (PST) (envelope-from marka@drugs.dv.isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id gB51bltB003074; Thu, 5 Dec 2002 12:37:47 +1100 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200212050137.gB51bltB003074@drugs.dv.isc.org> To: Stanley Hopcroft Cc: FreeBSD-stable@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: Anyone had any problems with BIND-9 forwarding queries through PIX devices ? In-reply-to: Your message of "Wed, 04 Dec 2002 22:40:14 +1100." <20021204224012.F214@IPAustralia.Gov.AU> Date: Thu, 05 Dec 2002 12:37:47 +1100 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > Dear Sir or Madam, > > We have been using the ports version of BIND 9 on 4.7-RELEASE (and > 4.6-RELEASE before) without any problems. > > Recently however, forwarded queries to our provider frequently take ~ 12 > seconds to resolve (for names such as www.Yahoo.COM, that should be > cached). > > (packet traces show 4 A queries and then the response belatedly). > > We became aware through the same symptoms that PIX firewalls (with > recent firmware) do not handle source port 53 queries very well. > > Is anyone aware of any problems with BIND 9.21 as far as forwarding > goes, especially with PIX ? > > We have been forced to downgrade to the release version of BIND-8; this > seems to perform better. It's a issue with any server that supports EDNS (BIND 8 and BIND 9 both support EDNS). CISCO have been aware of this for a long time. I've heard a rumour that CISCO have actually fixed this. I suggest that you contact the CISCO TAC. At least you will then be informed when they have a fix, if not be told what the fix is. Mark > Yours sincerely. > > > -- > ------------------------------------------------------------------------ > Stanley Hopcroft > ------------------------------------------------------------------------ > > '...No man is an island, entire of itself; every man is a piece of the > continent, a part of the main. If a clod be washed away by the sea, > Europe is the less, as well as if a promontory were, as well as if a > manor of thy friend's or of thine own were. Any man's death diminishes > me, because I am involved in mankind; and therefore never send to know > for whom the bell tolls; it tolls for thee...' > > from Meditation 17, J Donne. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message