my customer has a DNS server (NAMED.NLM) on a NW65SP7 installed. The dns server is forwarding unresolved requests through the PIX firewall to another (Linux-based) DNS server in a DMZ. Recently, there dns timeout problems started to appear for names such as Laptop, Notebook, Desktop, Server and Embedded Processor Technology - Intel and Symantec - AntiVirus, Anti-Spyware, Endpoint Security, Backup, Storage Solutions. I have discovered, that this problem is related to the packet length of the dns reply, as the PIX firewall is discarding dns packets with the UDP payload bigger than 512 Bytes, while the length of the dns response for these queries is exceeding this limit.

Looking into the dns queries from the Netware's named, I can see, that these packets are containing the EDNS part advertising the UDP payload size 2048.

I am curious, if there is any possibility to limit this advertised UDP payload size to smaller number, or to disable the EDNS as a whole on the NetWare's NAMED?

Thanks in advance for any suggestion,

Martin Strobl