[dns-operations] dropping fragmented requests

Shane Kerr shane at time-travellers.org
Mon Apr 11 15:09:10 UTC 2016


At 2016-04-11 10:05:21 -0400
David Conrad <drc at virtualized.org> wrote:

> > I think you're pretty safe dropping query fragments.  
> Given our painful collective experience with making assumptions about
> what is "safe", I think this is bad advice.

I'll grant that it depends on your tolerance for breakage and the
amount of time you spend caring & feeding for your DNS.

Even though I have worked at DNS companies for the past several years,
at one of them we had to deal with a firewall that was configured to
drop IPv4 fragments - which broke *answers* when DNSSEC started being

Still, it was quickly identified and fixed. If it let the network
administrators sleep easier for a few years until that point, possibly
it was a worthwhile trade-off. (Although if the network administrators
had asked I would not have advised dropping fragmented *answers*, even

Note finally that there are attacks against DNS using IP fragmentation
that are actually very difficult to avoid:





-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160411/1edee40e/attachment.sig>

More information about the dns-operations mailing list