[AusNOG] "stateless TCP" for DNS

Mark Andrews marka at isc.org
Mon Nov 15 21:17:32 EST 2010 

In message <4CE0D68E.8050205 at swin.edu.au>, Mattia Rossi writes:
> On 15/11/2010 16:00, Mark Andrews wrote:
> [..]
> > * However, most DNS servers are configured to allow only a maximum
> > UDP packet size of 512 Bytes.
> >
> > [ Most DNS servers are configured honour UDP sizes in EDNS requests.
> > Even then those that reduce the size usually do it to the level of
> > preventing IP fragmentation.  Almost no servers reduce it to 512
> > bytes as there are very few firewalls that block outgoing large
> > replies. ]
> 
> Do you have any data or can you point us to any link which we could use 
> to verify your statement? Our assumption is based on the following 
> research: 
> http://labs.ripe.net/Members/dfk/content-measuring-dns-transfer-sizes-first-r
> esults

Looking at that data set about ~35% of the requestors were limited
to 512 bytes if I'm reading the graphs correctly.  I fail to see
how you can turn 35% into "most".

When you start looking to find which nameservers are tuned down to
512 bytes you need to elimate all the servers that are not capable
of > 512 bytes of response.

Almost all recursive server vendors ship servers with EDNS enabled
now but there is still a long tail of installed base out there of
old servers which are not EDNS capable.  Similarly almost all
authoritative server vendors (except load balancers) ship servers
which talk EDNS by default.  These include servers from Microsoft
which was a hold out for a long time.

> > * Firewalls and NAT boxes are known to drop DNS UDP packets which
> > are larger than 512 Bytes.
> >
> > [ Which depends on the firewall configuration (newer defaults allow 4096
> > byte UDP response by default when talking EDNS) and whether you are talking
> > to the NAT (broken proxies often without TCP support) or through the NAT
> > (usually no issues).
> 
> Well, yes. New NAT/firewall boxes might not have the problem, but old 
> ones might. We don't know how many there are, how much will break etc.

And we really don't have to worry about them as the recursive servers
are capable of figuring out what will pass through the firewall.
Stub resolvers don't currently do EDNS or DO (by default) and if
you turn it on you will almost certainly test that it works with your
recursive servers or write recovery code to similar to what recursive
servers do.

Additionally authoritative servers can tune their responses to the
buffer sizes offered.  Named, for example, turns on minimal responses
if it sees a 512 byte EDNS buffer.  This gets rid of anything not
essential to the response and pulls most positive and no data DNSSEC
responses back under 512 bytes.  Name error (NXDOMAIN) DNSSEC responses
still tends to go over 512 bytes so those trigger TCP fallback but NXDOMAIN
responses are not that common from leaf zones.

> > Also if firewalls block responses bigger than 512 bytes was a issue it
> > would have turned up years ago as the non DNSSEC EDNS referral to the
> > COM and NET servers has been bigger the 512 bytes for a long time now.
> 
> Cool. This is in fact news to us.
> 
> We certainly don't know exactly what's going on in the DNS system, as 
> we're not ueber-DNS experts.
> That's why we asked for feedback, thanks.
> 
> Cheers
> Mat
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the AusNOG mailing list