Web lists-archives.com

Re: BIND DNS problem after upgrading from Wheezy to Squeeze




Andrew Wood <awood@xxxxxxxxxxxx> wrote:

Hi,

> I have a server which acts as a DNS server for our LAN. All our internal 
> servers have A records on it using a .local domain and it forwards all 
> other requests out to the root servers using the in built list provided 
> with BIND. All clients on the LAN have this machine set as their only 
> DNS server.
>
>
> It has worked fine for 6 years under Wheezy but I have just upgraded it 
> to Stretch. I did an upgrade to Jessie first, rebooted checked 
> everything was OK, and then immediately upgraded to Stretch.
>
> Since then we keep getting intermittent DNS lookup failures for various 
> domains on the internet, which will typically work if you click the 
> refresh button in the browser a few times.
>
> BIND seems to just log to syslog/systemd it doesnt appear to be 
> configured to use its own log. If I run journalctl -xe | grep "named" I 
> can get the log entries but none of them relate to the failed DNS 
> lookup. If I do it immediately after a failure has occured nothing is 
> logged so Im at a bit of a loss to work out what might be wrong.
>
>
> Does anyone have any ideas please?

Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large
packets. You might have an issue with UDP fragments being dropped at
your firewall/NAT Gateway?

https://www.dns-oarc.net/oarc/services/replysizetest

You can try to set 

	edns-udp-size 1200;

in your options {} block if you see issues there.

Bernhard