[dns-operations] DNS maximum packet size
warren at kumari.net
Fri Sep 18 21:20:26 UTC 2009
On Sep 18, 2009, at 1:50 PM, Patrick, Robert wrote:
> Are firewall vendors working to increase the default settings for
> DNS maximum packet size in order to better support EDNS and DNSSEC?
> Cisco firewalls have a default maximum packet size for DNS set to
> 512 bytes, and I’m going to guess similar settings exist for other
> vendor firewalls.
> A recent inquiry to increase the default setting for DNS maximum
> packet size enforcement on Cisco firewalls was answered with “the
> default configuration change is not on our firewall roadmap”.
> Is anybody working to get the vendors to put this change into
> product roadmaps, especially as year-end approaches and the OMB
> deadline is reached?
A fair bit of the issue is consumer broadband widgets -- there is an
SSAC report here: http://www.icann.org/committees/security/sac035.pdf
During July and August 2008, Core Competence and Nominet UK, the
registry for .UK, collaborated to assess the impact of DNSSEC on
residential Internet router and SOHO firewall devices commonly used
with broadband access services. Shinkuro, Inc., The Internet Society,
ICANN, and Afilias, Ltd supported core Competence’s participation in
Two dozen residential Internet router and SOHO firewall devices
commonly used with broadband services were tested under closed
controlled test beds to determine whether each unit correctly routes
• DNS queries requiring TCP or EDNS0 to convey lengthy DNSSEC responses
• Non-DNSSEC queries on signed and unsigned domains
• Non-DNSSEC queries that set other DNSSEC-related request flags
• DNSSEC queries that request server-side validation
• DNSSEC queries that request no server-side validation
Published market research, broadband provider websites, and retail
"best seller" lists were to identify the most widely deployed
equipment supplied by broadband providers, or purchased by consumers
and organizations for Small and Home Office networks.
The summary of findings is reproduced here:
• All 24 units could route DNSSEC queries addressed to upstream
resolvers (referred to herein as route mode) without size limitations.
• 22 units could proxy DNS queries addressed directly to them
(referred to herein as proxy mode), with varying degrees of success.
• 6 of 22 DNS proxies had difficulty with DNSSEC-related flags and/or
validated responses that effectively prevented DNSSEC use in proxy mode.
• 16 of 22 DNS proxies could successfully pass DNSSEC queries and
return validated responses of some size.
• 18 DNS proxies limited responses over UDP to either 512 bytes or a
size constrained by the MTU. Only 4 could return responses over UDP up
to 4096 bytes, while just 1 could proxy DNS over TCP (no size limit).
Such limits can interfere with returning longer DNSSEC responses.
• When deployed with factory defaults, 15 units are likely to be used
as DNS proxies, while 3 always route DNS queries. The rest (6) vary
over time, preferring to route DNS after being connected to a WAN.
The report concludes that that only 6 units (25%) operate with full
DNSSEC compatibility using the default or "out of the box"
configuration. Nine (9) units (37%) can be reconfigured to bypass DNS
proxy incompatibilities. The remaining percent of units (38%) lack
reconfigurable DHCP DNS parameters, making it harder for LAN clients
to bypass their interference with DNSSEC use.
The report offers several, additional, significant conclusions:
• domain signing will have no impact on broadband consumers that do
not use DNSSEC
• consumers are encouraged to upgrade to the latest firmware for the
products they operate to assure they become DNSSEC-ready at the
• manufacturers are encouraged to avoid further implementation delay
to ease the introduction of DNSSEC. (Note: Several technical
recommendations accompany this conclusion and all merit the
• manufacturers are also encouraged to consider additional DNS
security measures; specific emphasis is placed on removing open
resolver, cache poisoning and source spoofing vulnerabilities
Per unit test results have been made available along with the report.
Getting people to upgrade CPE is really really really hard -- folks
buy these widgets from their local electronics store and they likely
never upgrade the firmware (until they replace the whole thing when it
> Example configuration change for Cisco ASA and FWSM shown below:
> conf t
> policy-map type inspect dns preset_dns_map
> message-length maximum 4096
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
"I think it would be a good idea."
- Mahatma Ghandi, when asked what he thought of Western civilization
More information about the dns-operations