[dns-operations] PMTUD of .org servers

Florian Weimer fw at deneb.enyo.de
Sat Jun 20 14:00:01 UTC 2009

* Paul Vixie:

>> On the client side, a raw IP socket (perhaps bound to the UDP protocol if
>> the stack allows it) and looking for tail fragments (which are likely to
>> get through because they don't exhaust the path MTU) could provide some
>> data.  It might be easier to run fragment assembly entirely in user space
>> instead of matching this data to the UDP sockets you receive. 8-/
> this approach would also help find head fragments whose following fragments
> never arrive due to firewalls that don't understand ip fragmentation and who
> therefore only pass UDP/53, do not remember IP ID, do not pass fragments in
> an explicit rule, and do not associate fragments (which have no UDP header
> and thus are not "UDP/53") with their first fragments.  this is one of the
> most common causes of EDNS0 timeouts.

Right.  This should probably put into some diagnostics program which
uses libpcap and spits out appropriate warnings.  If the client side
is mainly at fault, this can and should be fixed locally.

I know it's very difficult to build static packet filter rules which
handle fragmented traffic properly.  (Stateful packet filters which
are part of proprietary network devices are usually not fast enough to
cope with heavy DNS or HTTP traffic.)  I can't really fault anyone who
tries to make shortcuts.

More information about the dns-operations mailing list