Re: [DNSOP] are there recent studies of client side/ISP firewalls interfering with EDNS?

Robert Edmonds <> Thu, 12 November 2015 17:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 011D41B2ABD for <>; Thu, 12 Nov 2015 09:35:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id l1MujmI8b5mO for <>; Thu, 12 Nov 2015 09:35:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 722771B2ABB for <>; Thu, 12 Nov 2015 09:35:21 -0800 (PST)
Received: by (Postfix, from userid 1000) id 1102E1C441E7; Thu, 12 Nov 2015 12:35:19 -0500 (EST)
Date: Thu, 12 Nov 2015 12:35:19 -0500
From: Robert Edmonds <>
To: John Kristoff <>
Message-ID: <>
References: <> <> <20151112104340.4ebb742a@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20151112104340.4ebb742a@localhost>
Archived-At: <>
Cc: "Wiley, Glen" <>, "" <>, Nicholas Weaver <>
Subject: Re: [DNSOP] are there recent studies of client side/ISP firewalls interfering with EDNS?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Nov 2015 17:35:23 -0000

John Kristoff wrote:
> After a DNS over TCP discussion a student of mine indicated that they
> recently fixed a problem in their network where DNS messages over 512
> bytes were not being relayed.  It appears the root cause has to do with
> some defaults being set common gear that simply drops messages over 512
> bytes.  For example:
>   <>
>       !-- Enable a maximum message length to help defeat DNS
>       !-- amplification attacks. Note: This is the default
>       !-- configuration and value based on RFC 1035.
>       !
>       message-length maximum 512

Ironically, elsewhere in that same document series:

    Potential Networking Challenges with DNSSEC Deployment

    The networking-specific challenges from DNSSEC are largely the
    result of the differences mentioned previously: increased packet
    sizes, EDNS requirements and the more frequent use of TCP. Many
    firewall devices incorrectly limit DNS responses to 512 and prohibit
    DNS over TCP. [...]

This is still wrong, though; "and" should be "or", as in "Many firewall
devices incorrectly limit DNS responses to 512 *or* prohibit DNS over
TCP."  That document further states:

    Connectivity Over UDP and TCP port 53

    Because most DNS traffic is sent over UDP port 53, any filtering of
    traffic that exists on the network is unlikely to impact future
    native DNS traffic that is traversing UDP port 53. However, if DNS
    traffic is not currently permitted to traverse TCP port 53, which is
    typically used for large DNS packets (that is, those greater than
    512 bytes), any issues with DNS traffic over TCP port 53 will be
    exacerbated when DNSSEC packets begin arriving on the network,
    because many DNSSEC packets will be greater than 512 bytes due to
    the additional packet overhead of DNSSEC. If traffic using TCP port
    53 is currently not permitted, or is being filtered to or from
    specific hosts or networks, then it may be necessary to account for
    new hosts and networks that could be sending DNSSEC traffic over TCP
    port 53.

This seems to be implying that it's OK to block >512B UDP as long as you
don't *also* block TCP/53 :-(

Robert Edmonds