DNS packet size -- what's the correct size
David Nolan
vitroth+ at cmu.edu
Sun Sep 30 18:17:35 UTC 2007
--On September 30, 2007 9:15:10 AM -0700 Rob Tanner <rtanner at linfield.edu>
wrote:
> Hi,
> It's my understanding that the max DNS packet size is 512 bytes and that
> is apparently what Cisco thinks because our firewall is blocking DNS
> packets over that size, calling them malformed. The problem is that we
> see numerous such packets and the real puzzler is that many of them are
> originate with core servers.
>
> The issue is getting serious because there are some sites for which I
> can't resolve addresses from on campus, but use an external name server
> and those same sites resolve perfectly. And, of course, I'm concerned
> that this problem is related the dropping of over sized packets by the
> firewall.
>
> Is Cisco's default limit too small? Can someone explain to me what
> might be going on.
Cisco's default limit for UDP DNS packets is historical and no longer
accurate. As of RFC 2671, published in 1999, there has been a mechanism
for servers to communicate DNS responses larger then 512 bytes without
reverting to TCP. (TCP DNS responses were the way to work around the
limit, but involve the significantly higher overhead of establishing TCP
sessions.)
The servers communicate this capability to each other with extension flags
set within the DNS query & response packets. A firewall which filters
large UDP DNS packets without clearing this flag in DNS packets that pass
through it will cause problems to the servers. See this URL for some
suggestions for avoiding this problem
<http://homepages.tesco.net/J.deBoynePollard/FGA/dns-edns0-and-firewalls.html>
-David Nolan
Network Software Designer
Computing Services
Carnegie Mellon University
More information about the bind-users
mailing list