NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
FVS336Gv2 dropping DNS packets >512 bytes
Hello,
I have a new FVS336Gv2 and am having trouble getting DNS to resolve in a timely fashion through the router. Here is my setup:
Mac OS Snow Leopard Server running LAN side DHCP and DNS. All LAN clients receive the SLS IP as the DNS server. SLS set to forward DNS queries it is not authoritative for to my ISP's DNS server. No DNS issues with this setup using a D-Link 825 as the internet router and firewall.
When I replaced the D-Link 825 with the FVS336Gv2, web browsing became very slow. Often pages would timeout, but if I hit refresh it would load immediately. Then I found error messages like this in my DNS logs:
It would appear that the FVS336Gv2 is blocking DNS packets larger than 512 bytes. SLS DNS service then waits for the EDNS attempt to timeout before reverting to smaller DNS packets.
My thinking here is I can either 1) disable EDNS in SLS or 2) change the FVS336Gv2 to allow EDNS packets. Any suggestions on how to accomplish 2)?
Thanks.
I have a new FVS336Gv2 and am having trouble getting DNS to resolve in a timely fashion through the router. Here is my setup:
Mac OS Snow Leopard Server running LAN side DHCP and DNS. All LAN clients receive the SLS IP as the DNS server. SLS set to forward DNS queries it is not authoritative for to my ISP's DNS server. No DNS issues with this setup using a D-Link 825 as the internet router and firewall.
When I replaced the D-Link 825 with the FVS336Gv2, web browsing became very slow. Often pages would timeout, but if I hit refresh it would load immediately. Then I found error messages like this in my DNS logs:
01-Apr-2011 17:30:09.235 createfetch: www.l.google.com A
01-Apr-2011 17:30:14.235 createfetch: www.l.google.com A
01-Apr-2011 17:30:14.237 success resolving 'www.l.google.com/A' (in 'google.com'?) after reducing the advertised EDNS UDP packet size to 512 octets
It would appear that the FVS336Gv2 is blocking DNS packets larger than 512 bytes. SLS DNS service then waits for the EDNS attempt to timeout before reverting to smaller DNS packets.
My thinking here is I can either 1) disable EDNS in SLS or 2) change the FVS336Gv2 to allow EDNS packets. Any suggestions on how to accomplish 2)?
Thanks.
4 Replies
- Create an Outbound Rule for DNS UDP Allow Always and test.
- Hello,
I finally had an opportunity to put the FVS336Gv2 back as our network edge router and tried your suggestion. Unfortunately, I am seeing the same results. I noticed a new firmware version posted so I upgraded firmware and tried again, with the same results. Firmware was upgraded by reseting to factory defaults, upgrading firmware, reseting to factory defaults, and reentering configuration manually. I have also tried forcing Bind to use port 53 by editing named.conf to uncomment the linequery-source address * port 53
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
Here are the DNS server logs from a recent DNS lookup:27-Apr-2011 19:10:05.563 createfetch: www.nytimes.com A
27-Apr-2011 19:10:10.563 createfetch: www.nytimes.com A
27-Apr-2011 19:10:10.699 host unreachable resolving 'www.nytimes.com/A/IN': 2001:503:231d::2:30#53
27-Apr-2011 19:10:15.563 createfetch: www.nytimes.com A
27-Apr-2011 19:10:21.668 host unreachable resolving 'www.nytimes.com/A/IN': 2001:503:a83e::2:30#53
27-Apr-2011 19:10:24.520 success resolving 'www.nytimes.com/A' (in 'com'?) after disabling EDNS
And corresponding FVS336Gv2 logs for same request:2011 Apr 27 19:10:25 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.55.83.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:24 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.52.178.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:23 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.31.80.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:22 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.26.92.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:21 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.43.172.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:20 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.42.93.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:19 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.54.112.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:19 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.41.162.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:18 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.48.79.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:17 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.12.94.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:16 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.35.51.30 PROTO=UDP SPT=53 DPT=53
Any other suggestions? - Contact Tech Support.
mropers wrote:
Here are the DNS server logs from a recent DNS lookup:27-Apr-2011 19:10:05.563 createfetch: www.nytimes.com A
27-Apr-2011 19:10:10.563 createfetch: www.nytimes.com A
27-Apr-2011 19:10:10.699 host unreachable resolving 'www.nytimes.com/A/IN': 2001:503:231d::2:30#53
27-Apr-2011 19:10:15.563 createfetch: www.nytimes.com A
27-Apr-2011 19:10:21.668 host unreachable resolving 'www.nytimes.com/A/IN': 2001:503:a83e::2:30#53
27-Apr-2011 19:10:24.520 success resolving 'www.nytimes.com/A' (in 'com'?) after disabling EDNS
And corresponding FVS336Gv2 logs for same request:2011 Apr 27 19:10:25 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.55.83.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:24 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.52.178.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:23 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.31.80.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:22 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.26.92.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:21 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.43.172.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:20 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.42.93.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:19 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.54.112.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:19 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.41.162.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:18 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.48.79.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:17 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.12.94.30 PROTO=UDP SPT=53 DPT=53
2011 Apr 27 19:10:16 [FVS336GV2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=172.16.53.10 DST=192.35.51.30 PROTO=UDP SPT=53 DPT=53
Any other suggestions?
I'm seeing a similar problem.
I added DNS:TCP and DNS:UDP to AllowAll for outbound traffic.
I've tried to turn off EDNS in bind9 using "edns no;".
I've tried limited EDNS packet size to 512 bytes using "edns-udp-size 512;".
Nothing seems to fix this problem. Any suggestions?
Guy
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
