- Jan 9, 2020
The DNS community has been discussing persistent interoperability and performance issues with the DNS system on industry mailing lists and at conferences such as DNS-OARC 30 panel discussion (video, slides).
The proposed plan for DNS Flag Day 2020 was announced in October 2019 at RIPE78 by Petr Špaček, CZ.NIC and Ondřej Surý, ISC (video, slides). This year, we are focusing on problems with IP fragmentation of DNS packets.
IP fragmentation is unreliable on the Internet today, and can cause transmission failures when large DNS messages are sent via UDP. Even when fragmentation does work, it may not be secure; it is theoretically possible to spoof parts of a fragmented DNS message, without easy detection at the receiving end.
Recently, there was an paper and presentation Defragmenting DNS - Determining the optimal maximum UDP response size for DNS by Axel Koolhaas, and Tjeerd Slokker in collaboration with NLnet Labs that explored the real world data using the RIPE Atlas probes and the researchers suggested different values for IPv4 and IPv6 and in different scenarios. This is practical for the server operators that know their environment, and the defaults in the DNS software should reflect the minimum safe size which is 1232.
- Bonica R. et al, “IP Fragmentation Considered Fragile”, Work in Progress, July 2018
- Huston G., “IPv6, Large UDP Packets and the DNS”, August 2017
- Fujiwara K., “Measures against cache poisoning attacks using IP fragmentation in DNS”, May 2019
- Fujiwara K. et al, “Avoid IP fragmentation in DNS”, September 2019
These issues can be addressed by a) configuring servers to limit DNS messages sent over UDP to a size that will not trigger fragmentation on typical network links, and b) ensuring that DNS servers can switch from UDP to TCP when a DNS response is too big to fit in this limited buffer size.
Message Size Considerations
The optimum DNS message size to avoid IP fragmentation while minimizaing the use of TCP will depend on the Maximum Transmission Unit (MTU) of the physical network links connecting two network endpoints. Unfortunately, there is not yet a standard mechanism for DNS server implementors to access this information. Until such a standard exists, we recommend that the EDNS buffer size should, by default, be set to a value small enough to avoid fragmentation on the majority of network links in use today.
An EDNS buffer size of 1232 bytes will avoid fragmentation on nearly all current networks. This is based on an MTU of 1280, which is required by the IPv6 specification, minus 48 bytes for the IPv6 and UDP headers and the aforementioned research.
Note that this recomendation is for a default value, to be used when better information is not available. Operators may still configure larger values if their networks support larger data frames and they are certain there is no risk of IP fragmentation. DNS server vendors may use higher (or lower) packet sizes if better information about the MTU is available from the kernel.
The next DNS Flag Day is scheduled for 2020-10-01. It focuses on the operational and security problems in DNS caused by Internet Protocol packet fragmentation.
You can your DNS with that test: 2020
And also sites with that: 2020
I test NextDNS and their website and both tests are