![]() ![]() Some network equipment, such as firewalls, might still make assumptions about DNS packet size. However, even though EDNS has been around a long time, its support has not been as universal as it should be 4. So, if you are running a reasonably up to date DNS server, the chances of it switching to TCP should be slim(mer). In 1999, Extension Mechanism for DNS (EDNS) was proposed, and it has been updated over the years, increasing the size all the way to 4096 bytes, or 4 kilobytes. This size limitation was recognized long ago as a problem. This is the reason why there are precisely 13 DNS root servers 3 originally: 13 domain names and 13 IPv4 addresses fit nicely into a single UDP packet. ![]() ![]() The IPv4 standard 2 specifies that every host must be able to reassemble packets of 576 bytes or less, take away header and other options, that leaves 512 bytes for payload data. The 512-byte UDP payload size is a dependency on IPv4. You might be wondering where the size limit of 512 bytes come from. The end symptom to the end client is usually slow DNS resolution, or inability to resolve certain domain names at all. If DNS servers and network environment cannot support large UDP packets, it will cause retransmission over TCP if TCP is blocked, the large UDP response will either result in IP fragmentation or be dropped completely. In these situations, the client needs to re-transmit over TCP, which has no size limit. Whatever the case, when the message size exceeds 512 bytes, it will trigger the ‘TC’ bit (Truncation) in DNS to be set, informing the client that the message length has exceeded the allowed size. For example, Figure FAQ-5 illustrates querying for may yield results such as this (AAAA are IPv6 records):Īs more and more people adopt newer features such as IPv6, spam avoidance, and DNSSEC, DNS is more likely to switch to TCP due to the larger response size. In modern DNS systems though, we are increasingly seeing resource record sets (or RRsets) that have a larger combined size. When DNS was first implemented, the only thing that would be so large that it exceeded the 512-byte limit was a zone transfer, in which one DNS server sends every single resource record in the zone to another machine, usually another DNS server. The next natural question is: when will DNS messages exceed 512 bytes? Actually, this happens quite often in today’s environment. DNS has always been designed to use both UDP and TCP port 53 from the start 1, with UDP being the default, and fall back to using TCP when it is unable to communicate on UDP, typically when the packet size is too large to push through in a single UDP packet. The answer is DNS is mostly UDP Port 53, but as time progresses, DNS will rely on TCP Port 53 more heavily. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |