matt > 140

…more than I can tweet…

Fixing DNS behind the Cisco SA540

dns

I recently setup a caching DNS server on a VM in my home network.  I eventually want to make it a local primary so I can stop typing IP addresses when I need to login to one of my servers, but since it’s been a while since I set up a DNS, I figured I’d just get the caching working first.  If done right, a caching DNS can really speed up your web browsing.

Setup was easy, but I noticed some odd messages in the logs.

Jul 17 18:32:13 dns1 named[1265]: success resolving ‘e6059.g.akamaiedge.net/A’ (in ‘g.akamaiedge.net’?) after reducing the advertised EDNS UDP packet size to 512 octets

Jul 17 18:32:13 dns1 named[1265]: success resolving ‘www.time.com/A’ (in ‘.’?) after disabling EDNS

Actually, there were a lot of these messages — and that means that the DNS server isn’t performing as well as it could because each name lookup is requiring multiple attempts to address these failures.

After digging around for answers (get it? dig?  it’s a DNS joke), it turns out this is because my firewall was interpreting the larger EDNS UDP packets as a UDP flood.  EDNS is basically DNS with bigger packets that contain more info.  I have 2 firewalls, the Uverse 2wire gateway on the WAN side and a Cisco SA540 on the LAN side.   A simple fix, according the Interwebs, was to just change the firewall settings to allow larger DNS settings or limit the UDP packet size to 512 octets in the DNS servers’s settings.

The problem: there is no setting for changing the DNS UDP packet size on the SA540, bind ignores UDP packet size settings less than 1024 octets, and turning off EDNS breaks all forwarded name resolution.

In searching for “DNS SA540”, I found that Cisco acknowledged a bug in the firmware related to EDNS handling a couple years ago and released a patch.  That was 8 or 9 firmware versions ago, and, well, if this was a bug, the bug is back in the latest 3 versions of firmware.

Then, I found an ubuntu forum thread where someone posted this excerpt from the Bind documentation:

edns-udp-size
Sets the advertised EDNS UDP buffer size in bytes to control the size of packets received.
Valid values are 1024 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting edns-udp-size to a non-default value is to get UDP answers
to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes.  named will fallback to using 512 bytes if it get a series of timeout at the initial value. 512 bytes is not being offered to encourage sites to fix their firewalls. Small EDNS UDP sizes will result in the excessive use of TCP.

So, Bind developers won’t let you set the UDP packet size to 512 because they decided that all firewalls that have this limit are broken.  Nice.

I found other suggestions to turn of EDNS completely by adding this to the named.conf.local file:

server 0.0.0.0/0 {
edns no;
};

Don’t bother.  It will break your DNS server.  All connections to forward DNS servers will be refused.

So, my only option left was to start turning off IPS/attack filters on the SA540 firewall until DNS starting working better.  Luckily, there’s a setting that seems to work.  Firewall –> Attacks –> LAN Security Checks –> Block UDP Flood.   After turning this off, I haven’t seen any of those log messages anymore, and that means that the name lookups are working on the first try.

Interestingly, I have a similar “block UDP flood” setting on the cheapo 2wire gateway firewall on the WAN side that I left enabled.

Advertisements

One comment on “Fixing DNS behind the Cisco SA540

  1. Dom
    June 3, 2015

    Thank you, this helped alot 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Information

This entry was posted on July 18, 2013 by and tagged , , , , , , .

Connect

Advertisements

Twitter Feed

Disclaimer

Anything Matt Hovey publishes online is his own personal opinion and does not reflect the opinion of his employers.
%d bloggers like this: