I got my information from the last thread about this issue. Several people, including you, offered assistance. Jim replied: "Thanks, but no thanks." However, I hope they privately accepted assistance from someone who knows what they are doing.
Jim & John aren’t being difficult, prideful, or stubborn. They’re doing what they can with the resources they have in a tough situation.
And that's why no progress is being made.
This is what I do for a living. I collect information from a client's systems, analyze it, and show them where it is failing or will fail as load increases. No changes are required: almost all of the data is already available, and you just need someone that knows how to make sense of it. On the rare occasions that I need more data, the customer uses tools they already have and I help them to configure them to collect the additional data.
I've done this for long enough and at enough different clients that I can build a working hypothesis from limited information. My next step would be to construct a data collection and analysis strategy to either prove or disprove the hypothesis, and then iterate/adjust until the customer gets the answer they asked for.
I don't make changes to the customer's system(s). They do it, with my direction/assistance if they need it. But, any wholesale implementation change is beyond the scope of what I do. I only identify the problem they need to address, and it is typically a software design issue, not a hardware capacity problem. Sometimes we get lucky and it's just a small software configuration change, but it's rare.
I've been fingerprinted, background-checked, and drug-tested so many times that I've lost count. I just finished analysis of a system that half of the people reading this message probably used in the past year, albeit unknowingly. If my clients can trust an outsider to help them, any "security issues" at FR are easily addressed by checking references.
But, I'm not volunteering. I can't. Even if I did it for free, my employer would consider it a conflict of interest. And my typical hourly rate would consume FR's entire hardware upgrade budget in a few days.
I suspect that the problem is, packets are being truncated.
Could be happening at any of these:
1. at the firewall
2. within the server farm
3. because of some diagnostic procedures which have been set up to test for DNS query problems
In cases 1 and 2, it may be resolved by using an MTU of 1424 or 1492 but not “the standard” 1500. Some protocols don’t do well with the MTU set to 1500.
In case 3, port 53 and port 5353 may be subject to testing on both UDP and TCP protocols. It may help to stop that testing and only allow UDP.
Packet truncating -— probably because of MTU settings -— is possibly being solved for now, by allowing TCP for ports 53 and 5353?
When a repeat request is made because a packet was truncated, and the fallback is to TCP, it takes longer -— that is, UDP is faster than TCP.
A request via UDP is one packet. An answer via UDP is one packet.
A request via TCP involves a TCP handshake, a packet for the repeat request, a packet for the reply, and then a few packets of TCP that end the TCP connection.
That is, a UDP request and answer are 2 packets, but a TCP request and answer are 4+ packets.
If packets are being truncated, then there are many repeat requests, and if TCP is allowed for ports 53 and 5353, it takes much greater time.
I am wondering if, because of denial-of-service problems for FR, maybe John R. has set up DNS monitoring that is slowing things down because that monitoring of ports 53 and 5353 - using UDP and TCP - is complicating an existing packet truncation problem?
Something like that. I’m not an expert.
I guess we have different definitions of spurned. I didn’t receive Jim’s response of “thanks, but no thanks” as a scornful rejection. I know Jim appreciates that we want to help.
I should actually apologize to Jim, and I do, for putting him in an awkward position. I should have offered that help privately. My intentions were good. I wanted to ease some of the pressure on Jim and John. But with 20 years’ experience, I know the difficulties that outside help can create.
I can appreciate that this is what you do for a living, but if you’re not in a position to offer free help and Jim isn’t in a position to hire you anyway, then it’s moot.
I don’t know that we can say no progress is being made. Since John is the only person with access and he hasn’t posted to any of these threads, we don’t know what he’s figured out, tried, or even considered.