Today, a number of major DNS services and DNS server manufacturers will hold a joint event designed to focus on with IP fragmentation when processing large DNS messages. This is the second such event, last year "DNS flag day" on the correct handling of EDNS requests.
Members of the DNS flag day 2020 initiative are calling for the recommended buffer sizes for EDNS to be fixed at 1232 bytes (MTU size 1280 minus 48 bytes for headers), and processing requests over TCP in the category necessarily supported on servers. IN only support for handling requests over UDP is marked mandatory, while TCP is listed as desirable but not required for operation. New ΠΈ explicitly classify TCP as one of the mandatory features required for DNS to function correctly. As part of the ongoing initiative, it is proposed to force the transition from sending requests over UDP to using TCP in cases where the established EDNS buffer size is not enough.
The proposed changes will eliminate confusion with the choice of EDNS buffer size and solve the problem of fragmentation of large UDP messages, the processing of which often leads to packet loss and timeouts on the client side. On the client side, the EDNS buffer size will be constant, and large responses will immediately be sent to the client over TCP. Avoiding sending large messages over UDP will also solve problems with large packet drops on some firewalls and allow blocking on DNS cache poisoning, based on the manipulation of fragmented UDP packets (when split into fragments, the second fragment does not include a header with an identifier, so it can be forged, for which it is enough just to match the checksum).
Starting today, participating DNS providers, including CloudFlare, Quad 9, Cisco (OpenDNS), and Google, EDNS buffer size from 4096 to 1232 bytes on their DNS servers (the EDNS change will be extended over 4-6 weeks and will cover an increasing number of requests over time). Responses to UDP requests that do not fit the new limit will be sent over TCP. DNS server vendors including BIND, Unbound, Knot, NSD and PowerDNS will release updates to change the default EDNS buffer size from 4096 bytes to 1232 bytes.
Ultimately, the changes introduced may lead to resolution problems when accessing DNS servers whose DNS responses over UDP exceed 1232 bytes and which cannot send a response over TCP. An experiment conducted at Google showed that changing the size of the EDNS buffer has little to no effect on the failure rate - with a buffer of 4096 bytes, the number of truncated UDP requests is 0.345%, and the number of unreachable retransmissions over TCP is 0.115%. With a buffer of 1232 bytes, these figures are 0.367% and 0.116%. Making TCP support a mandatory feature of DNS will result in problems when interacting with about 0.1% of DNS servers. It is noted that in modern conditions without TCP, the operation of these servers is already unstable.
Administrators of authoritative DNS servers should ensure that their server is responding over TCP on network port 53 and that this TCP port is not being blocked by a firewall. An authoritative DNS server should also not send UDP responses larger than
requested EDNS buffer size. On the server itself, the EDNS buffer size must be set to 1232 bytes. The resolvers are subject to approximately the same requirements - the mandatory ability to respond via TCP, the mandatory support for sending repeated requests via TCP when receiving a truncated UDP response, and setting the EDNS buffer to 1232 bytes.
The following parameters are responsible for setting the EDNS buffer size in different DNS servers:
options {
edns-udp-size 1232;
max-udp-size 1232;
};
max-udp-payload: 1232
net.bufsize(1232)
udp-truncation-threshold=1232
edns-outgoing-bufsize=1232
udp-truncation-threshold=1232
edns-buffer-size: 1232
ipv4-edns-size: 1232
ipv6-edns-size: 1232
Source: opennet.ru