I was reading this: http://www.theregister.co.uk/2010/04/13/dnssec/
and went here: http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues
Using Google's DNS resolvers on a client behind a Netscreen SSG140 I keep getting "Your resolver was only able to get packets SMALLER than 512 bytes" which suggests I have a problem.
Any suggestions as I assume this is a ScreenOS screening issue, yet even with "Generate Alarms without Dropping Packet" ticked I get the same issue?
This setting is enforced by Deep Inspection and can be changed with the following command:
set di service dns udp_message_limit 512 - 4096
The default size is 512
It is a settin in deep inspection but if you are not using deep inspection on the policy then what is the issue?
@ogardatadude wrote:It is a settin in deep inspection but if you are not using deep inspection on the policy then what is the issue?
You need to allow both 53/UDP and 53/TCP from your nameserver to the internet. The UDP transport only delivers 512 bytes. Larger responses will be transferred via TCP. [see RFC 1035 section 4.1.2]