[dns-operations] dropping fragmented requests

Shane Kerr shane at time-travellers.org
Mon Apr 11 13:22:08 UTC 2016


At 2016-04-08 20:50:40 +0000
"Meleshuk, Vadim" <meleshuk at amazon.com> wrote:

> Is there any real legitimate scenario requiring IP fragmentation
> support for requests? Sure, MTU could theoretically be as low as 68
> and queries could be longer than that, but does that happen out there?

Reverse queries for IPv6 are larger than 68 bytes (a quick check here
found mine to be 101 bytes).

I don't think that you need to worry about fragmentation at layer 3 or
higher for packets that small on modern networks though. Indeed if you
switch to IPv6 you can assume 1280 bytes or more. :)
> We received some reflection attack traffic that was fragmented and I
> was wondering whether it is safe to just drop it altogether.

I can't think of a way to construct a query packet larger than 300
bytes or so. I think you're pretty safe dropping query fragments.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160411/582dd5ed/attachment.sig>

More information about the dns-operations mailing list