[dns-operations] DNS maximum packet size

Warren Kumari warren at kumari.net
Fri Sep 18 21:20:26 UTC 2009

On Sep 18, 2009, at 1:50 PM, Patrick, Robert wrote:

> Are firewall vendors working to increase the default settings for  
> DNS maximum packet size in order to better support EDNS and DNSSEC?
> Cisco firewalls have a default maximum packet size for DNS set to  
> 512 bytes, and I’m going to guess similar settings exist for other  
> vendor firewalls.
> A recent inquiry to increase the default setting for DNS maximum  
> packet size enforcement on Cisco firewalls was answered with “the  
> default configuration change is not on our firewall roadmap”.
> Is anybody working to get the vendors to put this change into  
> product roadmaps, especially as year-end approaches and the OMB  
> deadline is reached?

A fair bit of the issue is consumer broadband widgets -- there is an  
SSAC report here: http://www.icann.org/committees/security/sac035.pdf

Executive summary:

During July and August 2008, Core Competence and Nominet UK, the  
registry for .UK, collaborated to assess the impact of DNSSEC on  
residential Internet router and SOHO firewall devices commonly used  
with broadband access services. Shinkuro, Inc., The Internet Society,  
ICANN, and Afilias, Ltd supported core Competence’s participation in  
this study.

Two dozen residential Internet router and SOHO firewall devices  
commonly used with broadband services were tested under closed  
controlled test beds to determine whether each unit correctly routes  
or proxies:

	• DNS queries requiring TCP or EDNS0 to convey lengthy DNSSEC responses
	• Non-DNSSEC queries on signed and unsigned domains
	• Non-DNSSEC queries that set other DNSSEC-related request flags
	• DNSSEC queries that request server-side validation
	• DNSSEC queries that request no server-side validation
Published market research, broadband provider websites, and retail  
"best seller" lists were to identify the most widely deployed  
equipment supplied by broadband providers, or purchased by consumers  
and organizations for Small and Home Office networks.

The summary of findings is reproduced here:

	• All 24 units could route DNSSEC queries addressed to upstream  
resolvers (referred to herein as route mode) without size limitations.
	• 22 units could proxy DNS queries addressed directly to them  
(referred to herein as proxy mode), with varying degrees of success.
	• 6 of 22 DNS proxies had difficulty with DNSSEC-related flags and/or  
validated responses that effectively prevented DNSSEC use in proxy mode.
	• 16 of 22 DNS proxies could successfully pass DNSSEC queries and  
return validated responses of some size.
	• 18 DNS proxies limited responses over UDP to either 512 bytes or a  
size constrained by the MTU. Only 4 could return responses over UDP up  
to 4096 bytes, while just 1 could proxy DNS over TCP (no size limit).  
Such limits can interfere with returning longer DNSSEC responses.
	• When deployed with factory defaults, 15 units are likely to be used  
as DNS proxies, while 3 always route DNS queries. The rest (6) vary  
over time, preferring to route DNS after being connected to a WAN.
The report concludes that that only 6 units (25%) operate with full  
DNSSEC compatibility using the default or "out of the box"  
configuration. Nine (9) units (37%) can be reconfigured to bypass DNS  
proxy incompatibilities. The remaining percent of units (38%) lack  
reconfigurable DHCP DNS parameters, making it harder for LAN clients  
to bypass their interference with DNSSEC use.

The report offers several, additional, significant conclusions:

	• domain signing will have no impact on broadband consumers that do  
not use DNSSEC
	• consumers are encouraged to upgrade to the latest firmware for the  
products they operate to assure they become DNSSEC-ready at the  
earliest opportunity
	• manufacturers are encouraged to avoid further implementation delay  
to ease the introduction of DNSSEC. (Note: Several technical  
recommendations accompany this conclusion and all merit the  
manufacturers’ attention.)
	• manufacturers are also encouraged to consider additional DNS  
security measures; specific emphasis is placed on removing open  
resolver, cache poisoning and source spoofing vulnerabilities
Per unit test results have been made available along with the report.

Getting people to upgrade CPE is really really really hard -- folks  
buy these widgets from their local electronics store and they likely  
never upgrade the firmware (until they replace the whole thing when it  


> Example configuration change for Cisco ASA and FWSM shown below:
> --/--
> conf t
> policy-map type inspect dns preset_dns_map
>  parameters
>   message-length maximum 4096
> policy-map global_policy
>  class inspection_default
>   inspect dns preset_dns_map
> end
> --/--
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

"I think it would be a good idea."
- Mahatma Ghandi, when asked what he thought of Western civilization

More information about the dns-operations mailing list