DNS packet size -- what's the correct size
Rob Tanner
It's my understanding that the max DNS packet size is 512 bytes and that
is apparently what Cisco thinks because our firewall is blocking DNS
packets over that size, calling them malformed. The problem is that we
see numerous such packets and the real puzzler is that many of them are
originate with core servers.
The issue is getting serious because there are some sites for which I
can't resolve addresses from on campus, but use an external name server
and those same sites resolve perfectly. And, of course, I'm concerned
that this problem is related the dropping of over sized packets by the
firewall.
Is Cisco's default limit too small? Can someone explain to me what
might be going on.
Thanks,
Rob
--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR
dnd
We recently dealt with the same problem after changing Bind versions
from 8.2.7 (ancient, I know) to 8.4.7
Turns out, since 8.3, the default EDNS size has been higher (can't
recall if it is 1024 or 2048).
In any event, the problem you describe is indeed with the Pix, but we
did a quick fix by adding the following to our named.conf files.
Add `edns-udp-size 512;' to your named.conf file as a work-around.
Before this fix, our name servers were unable to resolve certain
addresses (e.g. cluster1.us.messagelabs.com) which sent large packets.
We have not had any further incidents after the named.conf modification.
Regards,
Debbie Andrews
dnd
David Nolan
--On September 30, 2007 9:15:10 AM -0700 Rob Tanner <rta...@linfield.edu>
wrote:
> Hi,
> It's my understanding that the max DNS packet size is 512 bytes and that
> is apparently what Cisco thinks because our firewall is blocking DNS
> packets over that size, calling them malformed. The problem is that we
> see numerous such packets and the real puzzler is that many of them are
> originate with core servers.
>
> The issue is getting serious because there are some sites for which I
> can't resolve addresses from on campus, but use an external name server
> and those same sites resolve perfectly. And, of course, I'm concerned
> that this problem is related the dropping of over sized packets by the
> firewall.
>
> Is Cisco's default limit too small? Can someone explain to me what
> might be going on.
Cisco's default limit for UDP DNS packets is historical and no longer
accurate. As of RFC 2671, published in 1999, there has been a mechanism
for servers to communicate DNS responses larger then 512 bytes without
reverting to TCP. (TCP DNS responses were the way to work around the
limit, but involve the significantly higher overhead of establishing TCP
sessions.)
The servers communicate this capability to each other with extension flags
set within the DNS query & response packets. A firewall which filters
large UDP DNS packets without clearing this flag in DNS packets that pass
through it will cause problems to the servers. See this URL for some
suggestions for avoiding this problem
<http://homepages.tesco.net/J.deBoynePollard/FGA/dns-edns0-and-firewalls.html>
-David Nolan
Network Software Designer
Computing Services
Carnegie Mellon University
Rob Tanner
lists 512 bytes as the max size. From the comments I got, I've asked
our network manager to either turn that check off entirely or set the
limit to 2048.
Again thanks.
-- Rob
On 09/30/2007 11:31 AM, dnd wrote:
> Rob:
>
> We recently dealt with the same problem after changing Bind versions
> from 8.2.7 (ancient, I know) to 8.4.7
> Turns out, since 8.3, the default EDNS size has been higher (can't
> recall if it is 1024 or 2048).
>
> In any event, the problem you describe is indeed with the Pix, but we
> did a quick fix by adding the following to our named.conf files.
>
> Add `edns-udp-size 512;' to your named.conf file as a work-around.
>
> Before this fix, our name servers were unable to resolve certain
> addresses (e.g. cluster1.us.messagelabs.com) which sent large packets.
> We have not had any further incidents after the named.conf modification.
>
> Regards,
>
> Debbie Andrews
>
>
> Rob Tanner wrote:
>
>> Hi,
>> It's my understanding that the max DNS packet size is 512 bytes and that
>> is apparently what Cisco thinks because our firewall is blocking DNS
>> packets over that size, calling them malformed. The problem is that we
>> see numerous such packets and the real puzzler is that many of them are
>> originate with core servers.
>>
>> The issue is getting serious because there are some sites for which I
>> can't resolve addresses from on campus, but use an external name server
>> and those same sites resolve perfectly. And, of course, I'm concerned
>> that this problem is related the dropping of over sized packets by the
>> firewall.
>>
>> Is Cisco's default limit too small? Can someone explain to me what
>> might be going on.
>>
>> Thanks,
>> Rob
>>
>>
>>
>>
>
>
Mark Andrews
> Thanks to all who replied. It's odd that my O'Reilly DNS book still
> lists 512 bytes as the max size. From the comments I got, I've asked
> our network manager to either turn that check off entirely or set the
> limit to 2048.
> Again thanks.
>
> -- Rob
Look for EDNS. We tend to distingish between DNS and
Extended DNS. For plain DNS the limit is still 512. 512
is still the limit for EDNS requests unless you have recently
probed the server for EDNS support.
Modern nameservers use 4096 or so as the UDP packet size.
This is the currently recommended size.
> On 09/30/2007 11:31 AM, dnd wrote:
> > Rob:
> >
> > We recently dealt with the same problem after changing Bind versions
> > from 8.2.7 (ancient, I know) to 8.4.7
BIND 8.4.7 is ancient as well. So ancient that it is no longer
supported.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org
Mark Andrews
>
> > Hi,
> > It's my understanding that the max DNS packet size is 512 bytes and that
> > is apparently what Cisco thinks because our firewall is blocking DNS
> > packets over that size, calling them malformed. The problem is that we
> > see numerous such packets and the real puzzler is that many of them are
> > originate with core servers.
> >
> > The issue is getting serious because there are some sites for which I
> > can't resolve addresses from on campus, but use an external name server
> > and those same sites resolve perfectly. And, of course, I'm concerned
> > that this problem is related the dropping of over sized packets by the
> > firewall.
> >
> > Is Cisco's default limit too small? Can someone explain to me what
> > might be going on.
>
> accurate. As of RFC 2671, published in 1999, there has been a mechanism
> for servers to communicate DNS responses larger then 512 bytes without
> reverting to TCP. (TCP DNS responses were the way to work around the
> limit, but involve the significantly higher overhead of establishing TCP
> sessions.)
>
> The servers communicate this capability to each other with extension flags
> set within the DNS query & response packets. A firewall which filters
> large UDP DNS packets without clearing this flag in DNS packets that pass
> through it will cause problems to the servers. See this URL for some
> suggestions for avoiding this problem
Firewall that remove the opt field or adjust the EDNS UDP size
will break TSIG signed messages.
It's time firewalls just accepted EDNS messages without fiddling
with them. It's not like this is new technology.
> <http://homepages.tesco.net/J.deBoynePollard/FGA/dns-edns0-and-firewalls.html
> >
>
> -David Nolan
> Network Software Designer
> Computing Services
> Carnegie Mellon University
>
>