DNS packet size -- what's the correct size

Mark Andrews Mark_Andrews at isc.org
Sun Sep 30 23:18:47 UTC 2007 

> 
> 
> --On September 30, 2007 9:15:10 AM -0700 Rob Tanner <rtanner at linfield.edu> 
> wrote:
> 
> > Hi,
> > It's my understanding that the max DNS packet size is 512 bytes and that
> > is apparently what Cisco thinks because our firewall is blocking DNS
> > packets over that size, calling them malformed.  The problem is that we
> > see numerous such packets and the real puzzler is that many of them are
> > originate with core servers.
> >
> > The issue is getting serious because there are some sites for which I
> > can't resolve addresses from on campus, but use an external name server
> > and those same sites resolve perfectly.  And, of course, I'm concerned
> > that this problem is related the dropping of over sized packets by the
> > firewall.
> >
> > Is Cisco's default limit too small?  Can someone explain to me what
> > might be going on.
> 
> Cisco's default limit for UDP DNS packets is historical and no longer 
> accurate.  As of RFC 2671, published in 1999, there has been a mechanism 
> for servers to communicate DNS responses larger then 512 bytes without 
> reverting to TCP.  (TCP DNS responses were the way to work around the 
> limit, but involve the significantly higher overhead of establishing TCP 
> sessions.)
> 
> The servers communicate this capability to each other with extension flags 
> set within the DNS query & response packets.  A firewall which filters 
> large UDP DNS packets without clearing this flag in DNS packets that pass 
> through it will cause problems to the servers.  See this URL for some 
> suggestions for avoiding this problem

	Firewall that remove the opt field or adjust the EDNS UDP size
	will break TSIG signed messages.

	It's time firewalls just accepted EDNS messages without fiddling
	with them.  It's not like this is new technology.
 
> <http://homepages.tesco.net/J.deBoynePollard/FGA/dns-edns0-and-firewalls.html
> >
> 
> -David Nolan
>  Network Software Designer
>  Computing Services
>  Carnegie Mellon University
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list