[dns-operations] PMTUD of .org servers

Mark Andrews marka at isc.org
Sat Jun 20 23:33:59 UTC 2009 

In message <878wjn80pq.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> * Paul Vixie:
> 
> >> On the client side, a raw IP socket (perhaps bound to the UDP protocol if
> >> the stack allows it) and looking for tail fragments (which are likely to
> >> get through because they don't exhaust the path MTU) could provide some
> >> data.  It might be easier to run fragment assembly entirely in user space
> >> instead of matching this data to the UDP sockets you receive. 8-/
> >
> > this approach would also help find head fragments whose following fragments
> > never arrive due to firewalls that don't understand ip fragmentation and who
> > therefore only pass UDP/53, do not remember IP ID, do not pass fragments in
> > an explicit rule, and do not associate fragments (which have no UDP header
> > and thus are not "UDP/53") with their first fragments.  this is one of the
> > most common causes of EDNS0 timeouts.
> 
> Right.  This should probably put into some diagnostics program which
> uses libpcap and spits out appropriate warnings.  If the client side
> is mainly at fault, this can and should be fixed locally.
> 
> I know it's very difficult to build static packet filter rules which
> handle fragmented traffic properly.  (Stateful packet filters which
> are part of proprietary network devices are usually not fast enough to
> cope with heavy DNS or HTTP traffic.)  I can't really fault anyone who
> tries to make shortcuts.

There is almost no state to match on when the packets come out of
order.  You need to hold the fragments them release or drop them
once you see the initial fragment in the packet.

The actual rules shouldn't be any harder as long as the firewall
does hold the fragments.  If it doesn't hold the fragments then
there is only one thing you can do and that is to pass all fragments
if you allow any incoming connections or allow ones through which
match the source and destination address of any existing connection
if you only allow reply traffic through.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list