Comments on: Firefox 3.0 freezes waiting to resolve safebrowsing-cache.google.com in DNS http://www.divideandconquer.se/2009/06/25/firefox-30-freezes-waiting-to-resolve-safebrowsing-cachegooglecom-in-dns/ David's Software Development Blog Wed, 28 Jul 2010 22:47:08 +0200 http://wordpress.org/?v=2.8.4 hourly 1 By: David http://www.divideandconquer.se/2009/06/25/firefox-30-freezes-waiting-to-resolve-safebrowsing-cachegooglecom-in-dns/comment-page-1/#comment-428 David Thu, 09 Jul 2009 12:56:15 +0000 http://www.divideandconquer.se/?p=485#comment-428 Thanks a lot Guy, I'll see if the I get get the network people to set the "minimal-responses yes" option... :-) Thanks a lot Guy, I’ll see if the I get get the network people to set the “minimal-responses yes” option… :-)

]]> By: Guy Baconniere http://www.divideandconquer.se/2009/06/25/firefox-30-freezes-waiting-to-resolve-safebrowsing-cachegooglecom-in-dns/comment-page-1/#comment-427 Guy Baconniere Thu, 09 Jul 2009 12:47:08 +0000 http://www.divideandconquer.se/?p=485#comment-427 Add "minimal-responses yes;" in your bind9 configuration or ask your ISP to do so. /etc/bind/named.conf.options options { // ... // only add records to the authority and additional data sections when required minimal-responses yes; }; By doing this Google's safebrowsing-cache.google.com will fit in a standard UDP DNS packet otherwise with additional section it will be TCP DNS packet. check the result with or without minimal-responses of dig safebrowsing-cache.google.com With minimal-responses no (default on Bind9) IP (tos 0x0, ttl 64, id 40627, offset 0, flags [none], proto UDP (17), length 75) 127.0.0.1.49553 > 127.0.0.1.53: [bad udp cksum 6429!] 40815+ A? safebrowsing-cache.google.com. (47) IP (tos 0x0, ttl 64, id 40628, offset 0, flags [none], proto UDP (17), length 526) 127.0.0.1.53 > 127.0.0.1.49553: 40815| q: A? safebrowsing-cache.google.com. 25/2/0 safebrowsing-cache.google.com.[|domain] IP (tos 0x0, ttl 64, id 4337, offset 0, flags [DF], proto TCP (6), length 60) 127.0.0.1.57552 > 127.0.0.1.53: S, cksum 0x30e4 (correct), 272739230:272739230(0) win 32792 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 127.0.0.1.53 > 127.0.0.1.57552: S, cksum 0x6453 (correct), 281541131:281541131(0) ack 272739231 win 32768 IP (tos 0x0, ttl 64, id 4338, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.57552 > 127.0.0.1.53: ., cksum 0x4b76 (correct), 1:1(0) ack 1 win 513 IP (tos 0x0, ttl 64, id 4339, offset 0, flags [DF], proto TCP (6), length 101) 127.0.0.1.57552 > 127.0.0.1.53: P 1:50(49) ack 1 win 513 5198+[|domain] IP (tos 0x0, ttl 64, id 16739, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.53 > 127.0.0.1.57552: ., cksum 0x4b46 (correct), 1:1(0) ack 50 win 512 14:44:32.883449 IP (tos 0x0, ttl 64, id 16740, offset 0, flags [DF], proto TCP (6), length 632) 127.0.0.1.53 > 127.0.0.1.57552: P 1:581(580) ack 50 win 512 5198 q:[|domain] IP (tos 0x0, ttl 64, id 4340, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.57552 > 127.0.0.1.53: ., cksum 0x48ef (correct), 50:50(0) ack 581 win 531 IP (tos 0x0, ttl 64, id 4341, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.57552 > 127.0.0.1.53: F, cksum 0x48ee (correct), 50:50(0) ack 581 win 531 IP (tos 0x0, ttl 64, id 16741, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.53 > 127.0.0.1.57552: F, cksum 0x4900 (correct), 581:581(0) ack 51 win 512 IP (tos 0x0, ttl 64, id 4342, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.57552 > 127.0.0.1.53: ., cksum 0x48ed (correct), 51:51(0) ack 582 win 531 With minimal-responses yes IP (tos 0x0, ttl 64, id 40623, offset 0, flags [none], proto UDP (17), length 75) 127.0.0.1.40215 > 127.0.0.1.53: [bad udp cksum 8a13!] 55747+ A? safebrowsing-cache.google.com. (47) IP (tos 0x0, ttl 64, id 40624, offset 0, flags [none], proto UDP (17), length 494) 127.0.0.1.53 > 127.0.0.1.40215: 55747 q: A? safebrowsing-cache.google.com. 25/0/0 safebrowsing-cache.google.com.[|domain] Best Regards, Guy Baconniere Add “minimal-responses yes;” in your bind9 configuration or ask your ISP to do so.

/etc/bind/named.conf.options

options {

// …

// only add records to the authority and additional data sections when required
minimal-responses yes;

};

By doing this Google’s safebrowsing-cache.google.com
will fit in a standard UDP DNS packet otherwise with additional section it will be TCP DNS packet.

check the result with or without minimal-responses of
dig safebrowsing-cache.google.com

With minimal-responses no (default on Bind9)

IP (tos 0×0, ttl 64, id 40627, offset 0, flags [none], proto UDP (17), length 75) 127.0.0.1.49553 > 127.0.0.1.53: [bad udp cksum 6429!] 40815+ A? safebrowsing-cache.google.com. (47)
IP (tos 0×0, ttl 64, id 40628, offset 0, flags [none], proto UDP (17), length 526) 127.0.0.1.53 > 127.0.0.1.49553: 40815| q: A? safebrowsing-cache.google.com. 25/2/0 safebrowsing-cache.google.com.[|domain]
IP (tos 0×0, ttl 64, id 4337, offset 0, flags [DF], proto TCP (6), length 60) 127.0.0.1.57552 > 127.0.0.1.53: S, cksum 0×30e4 (correct), 272739230:272739230(0) win 32792
IP (tos 0×0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 127.0.0.1.53 > 127.0.0.1.57552: S, cksum 0×6453 (correct), 281541131:281541131(0) ack 272739231 win 32768
IP (tos 0×0, ttl 64, id 4338, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.57552 > 127.0.0.1.53: ., cksum 0×4b76 (correct), 1:1(0) ack 1 win 513
IP (tos 0×0, ttl 64, id 4339, offset 0, flags [DF], proto TCP (6), length 101) 127.0.0.1.57552 > 127.0.0.1.53: P 1:50(49) ack 1 win 513 5198+[|domain]
IP (tos 0×0, ttl 64, id 16739, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.53 > 127.0.0.1.57552: ., cksum 0×4b46 (correct), 1:1(0) ack 50 win 512
14:44:32.883449 IP (tos 0×0, ttl 64, id 16740, offset 0, flags [DF], proto TCP (6), length 632) 127.0.0.1.53 > 127.0.0.1.57552: P 1:581(580) ack 50 win 512 5198 q:[|domain]
IP (tos 0×0, ttl 64, id 4340, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.57552 > 127.0.0.1.53: ., cksum 0×48ef (correct), 50:50(0) ack 581 win 531
IP (tos 0×0, ttl 64, id 4341, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.57552 > 127.0.0.1.53: F, cksum 0×48ee (correct), 50:50(0) ack 581 win 531
IP (tos 0×0, ttl 64, id 16741, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.53 > 127.0.0.1.57552: F, cksum 0×4900 (correct), 581:581(0) ack 51 win 512
IP (tos 0×0, ttl 64, id 4342, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.57552 > 127.0.0.1.53: ., cksum 0×48ed (correct), 51:51(0) ack 582 win 531

With minimal-responses yes

IP (tos 0×0, ttl 64, id 40623, offset 0, flags [none], proto UDP (17), length 75) 127.0.0.1.40215 > 127.0.0.1.53: [bad udp cksum 8a13!] 55747+ A? safebrowsing-cache.google.com. (47)
IP (tos 0×0, ttl 64, id 40624, offset 0, flags [none], proto UDP (17), length 494) 127.0.0.1.53 > 127.0.0.1.40215: 55747 q: A? safebrowsing-cache.google.com. 25/0/0 safebrowsing-cache.google.com.[|domain]

Best Regards,
Guy Baconniere

]]> By: David http://www.divideandconquer.se/2009/06/25/firefox-30-freezes-waiting-to-resolve-safebrowsing-cachegooglecom-in-dns/comment-page-1/#comment-400 David Thu, 25 Jun 2009 14:05:45 +0000 http://www.divideandconquer.se/?p=485#comment-400 I found this link with a relevant extract from RFC1123: http://mailman.powerdns.com/pipermail/pdns-users/2003-October/000783.html The DNS response for safebrowsing-cache.google.com returns 24 address records, but it seems like 15 is the limit to avoid truncation. Obviously not all DNS servers handle truncation properly, or they suffer from firewalls that block TCP access to port 53. I found this link with a relevant extract from RFC1123:

http://mailman.powerdns.com/pipermail/pdns-users/2003-October/000783.html

The DNS response for safebrowsing-cache.google.com returns 24 address records, but it seems like 15 is the limit to avoid truncation.

Obviously not all DNS servers handle truncation properly, or they suffer from firewalls that block TCP access to port 53.

]]> By: Cam http://www.divideandconquer.se/2009/06/25/firefox-30-freezes-waiting-to-resolve-safebrowsing-cachegooglecom-in-dns/comment-page-1/#comment-399 Cam Thu, 25 Jun 2009 13:44:42 +0000 http://www.divideandconquer.se/?p=485#comment-399 I saw this problem too, very annoying. Trying to get to the bottom of the 'truncated' problem - all ways to look up that domain seem to fail on my linux box. I suppose the server I use ignores TCP on port 53. Using wireshark the packet returned by UDP seems to be OK. Maybe it's a bug that the packet seems truncated when it's really OK. I saw this problem too, very annoying. Trying to get to the bottom of the ‘truncated’ problem – all ways to look up that domain seem to fail on my linux box. I suppose the server I use ignores TCP on port 53. Using wireshark the packet returned by UDP seems to be OK. Maybe it’s a bug that the packet seems truncated when it’s really OK.

]]>