Why did I get intermittent timeouts and slow response times when resolving *.paypal.com domain names?

PayPal domain name resolution caused timeouts or slow response times.

In recent years, PayPal has upgraded its Domain Name Servers, changing how it responds to DNS requests. If your firewalls aren't standards-compliant, you may encounter intermittent timeouts and slow response times when resolving *.paypal.com domain names.

If your router and firewall infrastructure has problems handling larger UDP/DNS responses, you'll get intermittent responses to DNS queries for paypal.com. In such cases, the device drops the packet, and (because of UDP) there is no retransmit. The DNS client will continue trying until it times out or succeeds.

To resolve this issue, make sure that your firewalls are standards-compliant and allow DNS responses of at least 4096 bytes.

For DNS servers. it's best to remove any restrictions on DNS packet size (from 512 bytes to 2-4K), support EDNS0 on the DNS servers themselves, and allow UDP fragments. However, these actions will cause issues for customers using firewall rules that aren't RFC2671-compliant. This RFC was published in 1999 and is used by DNSSEC and EDNS0 (as well as for larger DNS records).

The data included in PayPal's DNS record has many facets. It includes several anti-phishing email configurations, as well as records to support more capacity, IPv6 information, and EDNS0 details.

The following example shows a response larger than 1024 bytes:

ns3.isc-sns.info. 3600 IN A
ns3.isc-sns.info. 3600 IN RRSIG A 5 3 3600 20101029162747
20100929162747 50469 isc-sns.info.
iGiEoFbSyWX9fU5LZti2A3+8EFp8el65ynrGfG+I3KUlSQ1B8axDaINF soc=
isc-sns.info. 3600 IN NS ns3.isc-sns.info.
isc-sns.info. 3600 IN NS ns2.isc-sns.com.
isc-sns.info. 3600 IN NS ns1.isc-sns.net.
isc-sns.info. 3600 IN RRSIG NS 5 2 3600 20101029162747
20100929162747 50469 isc-sns.info.
RAzjTIdEG1obhznolZ1iFGrSty87pdEKzjP3VkCvsLSaubUyoOCzou3q yvI= ;;
Received 1250 bytes from in 29 ms

PayPal DNS requirements
Your infrastructure must support IETF RFC 4035 (Protocol Modifications for the DNS Security Extensions). This means your DNS software must:
  • Support EDNS0 (see IETF RFC 2671).
  • Allow IP fragments.
  • Allow port 53 traffic on both TCP and UDP so that if UDP fails, it can fall back to TCP.
  • Allow DNS responses of up to 4K through any intermediate firewalls between your resolver and the Internet to allow for larger signed responses.

In addition, IETF RFC 5625 (DNS Proxy Implementation Guidelines) states that:
  • Resolvers must handle Resource Records (RRs) of unknown type transparently.
  • All requests and responses must be proxied, regardless of the values of the QTYPE and QCLASS fields.
  • Similarly, all responses must be proxied, regardless of the values of the TYPE and CLASS fields of any Resource Record.

Note: Don't indiscriminately block ICMP. Although many firewall manuals advise blocking all incoming ICMP, DNS servers react to "ICMP unreachable" with a timeout mechanism, resulting in worse service.

See also: