Results 1 to 6 of 6

Thread: Bind error messages and poor performance

  1. #1
    Join Date
    Aug 2009

    Question Bind error messages and poor performance

    I'm getting the following errors in /var/log/daemon.log

    Dec 31 15:15:25 demigod named[12914]: success resolving '' (in ''?) after reducing the advertised EDNS UDP packet size to 512 octets

    and sometimes:

    Dec 31 14:43:23 demigod named[12478]: success resolving '' (in ''?) after disabling EDNS

    I've disabled everything related to intrusion detection and firewall in the ADSL-router but still get these errors. Tried adding edns-udp-size 512; to /etc/bind/named.conf.options but it doesn't seem to have any effect. Any ideas? I also tried adding the adsl-router as a forwarder, this reduced the number of error messages slightly...

    Any ideas???

  2. #2
    Join Date
    Oct 2009
    Bangalore, India
    Ubuntu 10.10 Maverick Meerkat

    Re: Bind error messages and poor performance

    Bump. I have similar errors and extremely poor performance. disable ipv4 through /etc/defaults/bind9 stopped the EDNS error messages but bind9 is still performing extremely poorly. Any suggestions would help thank you.

  3. #3
    Join Date
    Sep 2006

    Re: Bind error messages and poor performance

    Bump. Has somebody figured it out?

    What I have tried is:
    disabling ipv6 with "-4" in /etc/default/bind9 and
    inserting "max-cache-size 0" and "edns-udp-size 512" in /etc/bind/named.conf.options with no effect.

    PS: I'm running BIND9.7.x - latest from the repo.
    Last edited by menchi; December 17th, 2010 at 08:59 PM.

  4. #4
    Join Date
    Feb 2011

    Re: Bind error messages and poor performance

    FYI, I found this googling around.

    The better solution is to work out if it is a local problem
    that is causing the messages and fix it.
    The usual causes is a broken or misconfigure firewall / NAT.
    * A Firewall that doesn't allow through DNS packets > 512 bytes.
    * A Firewall/NAT that doesn't allow IP fragments through.
    To workaround either of these set edns-udp-size to a
    appropriate value but only do it if you can't fix the
    underlying problem.
    I've got a NAT that can't handle out-of-order IP
    fragments so I use "edns-udp-size 1460;" which is
    small enough so that a UDP packet will fit in a
    Ethernet packet without fragmentation provided no
    IP options are set.
    "dig +norec +dnssec"
    Can be used to test if you firewall supports packets > 512.
    "dig +dnssec +norec +ignore dnskey se"
    Can be used to test if IP fragments can get though at all.
    I don't have a out-of-order IP fragmentation test.
    These messages are rare events with a EDNS clear path.
    However, my firewall seems to process these fine too.

    add the following lines in /etc/named.conf or /var/named/chroot/etc/
    logging {
    category lame-servers {null; };
    category edns-disabled { null; };

    Hope to help ...
    Antonio Carlos de Lima
    Note that the location of named.conf differs in ubuntu and it is split into multiple files. named.conf.options is where I put it. Make sure you restart the bind daemon.

    This will supress the error in your logs but doesn't solve the issue causing it.

    I only assume the error is present due the dns server it is communicating with does not support edns.
    Last edited by g4m3c4ck; February 9th, 2011 at 05:52 PM.

  5. #5
    Join Date
    Feb 2011

    Re: Bind error messages and poor performance

    I found this command will test if a server supports EDNS

    dig @ +noall +comments +bufsize=1 query

    I get the following output which shows a 4K udp packet size

    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35828
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ; EDNS: version: 0, flags:; udp: 4096

  6. #6
    Join Date
    Aug 2008

    Re: Bind error messages and poor performance


    EDNS increases the DNS message length above 512 bytes.

    In practice, difficulties can arise when using EDNS traversing firewalls, since some firewalls assume a maximum DNS message length of 512 bytes and block longer DNS packets.
    So the root cause is a firewall between your bind server and the Internet that is dropping DNS messages > 512 bytes.

    1) The best solution is to upgrade the firewall so that it is EDNS compatible and allows DNS messages > 512 bytes.

    2) If that isn't possible, you can globally disable EDNS within bind:

    Edit /etc/bind/named.conf.options
    Add this at the bottom (outside of the options clause):
    server ::/0 {
           edns no;
    server {
           edns no;

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts