Why did I get intermittent timeouts and slow response times when resolving *.paypal.com domain names?
PayPal domain name resolution caused timeouts or slow response times.
In recent years, PayPal has upgraded its Domain Name Servers, changing how it responds to DNS requests. If your firewalls aren't standards-compliant, you may encounter intermittent timeouts and slow response times when resolving *.paypal.com domain names.
If your router and firewall infrastructure has problems handling larger UDP/DNS responses, you'll get intermittent responses to DNS queries for paypal.com. In such cases, the device drops the packet, and (because of UDP) there is no retransmit. The DNS client will continue trying until it times out or succeeds.
To resolve this issue, make sure that your firewalls are standards-compliant and allow DNS responses of at least 4096 bytes.
For DNS servers. it's best to remove any restrictions on DNS packet size (from 512 bytes to 2-4K), support EDNS0 on the DNS servers themselves, and allow UDP fragments. However, these actions will cause issues for customers using firewall rules that aren't RFC2671-compliant. This RFC was published in 1999 and is used by DNSSEC and EDNS0 (as well as for larger DNS records).
The data included in PayPal's DNS record has many facets. It includes several anti-phishing email configurations, as well as records to support more capacity, IPv6 information, and EDNS0 details.
The following example shows a response larger than 1024 bytes:
ns3.isc-sns.info. 3600 IN A 126.96.36.199 ns3.isc-sns.info. 3600 IN RRSIG A 5 3 3600 20101029162747 20100929162747 50469 isc-sns.info. Yqco+7kDuwXswVbyewzzeS5uR/hGvOzLI1z0WvMOGReOtIv7JiSwtEgJ MPzpZs2lvZySNwBo85SejRHPin8J9u624g064rtTIr6/IZUtt/V5XelG iGiEoFbSyWX9fU5LZti2A3+8EFp8el65ynrGfG+I3KUlSQ1B8axDaINF soc= isc-sns.info. 3600 IN NS ns3.isc-sns.info. isc-sns.info. 3600 IN NS ns2.isc-sns.com. isc-sns.info. 3600 IN NS ns1.isc-sns.net. isc-sns.info. 3600 IN RRSIG NS 5 2 3600 20101029162747 20100929162747 50469 isc-sns.info. nS44OcSf0IVsh+TIPI4E7IS5noJVhsFlFhQ6YMzxRSyHPUMaEHQGIWOm nEt6dddJQOBpAlLQLQWzyHEeDHkJbaRIj7VnIXulHW3m41e9FZ9tnuM4 RAzjTIdEG1obhznolZ1iFGrSty87pdEKzjP3VkCvsLSaubUyoOCzou3q yvI= ;; Received 1250 bytes from 188.8.131.52#53(ns2.isc-sns.com) in 29 ms
PayPal DNS requirements
Your infrastructure must support IETF RFC 4035 (Protocol Modifications for the DNS Security Extensions). This means your DNS software must:
- Support EDNS0 (see IETF RFC 2671).
- Allow IP fragments.
- Allow port 53 traffic on both TCP and UDP so that if UDP fails, it can fall back to TCP.
- Allow DNS responses of up to 4K through any intermediate firewalls between your resolver and the Internet to allow for larger signed responses.
In addition, IETF RFC 5625 (DNS Proxy Implementation Guidelines) states that:
- Resolvers must handle Resource Records (RRs) of unknown type transparently.
- All requests and responses must be proxied, regardless of the values of the QTYPE and QCLASS fields.
- Similarly, all responses must be proxied, regardless of the values of the TYPE and CLASS fields of any Resource Record.
Note: Don't indiscriminately block ICMP. Although many firewall manuals advise blocking all incoming ICMP, DNS servers react to "ICMP unreachable" with a timeout mechanism, resulting in worse service.