Anycast 101

Steve_Bellovin · December 17, 2004, 12:59am

No, firewalls have nothing to do with it. Section 4.2.1 of RFC 1035
says:

Messages carried by UDP are restricted to 512 bytes (not counting the IP
or UDP headers).

There's a large installed base of machines that conform to that limit
and don't understand EDNS0. I'll leave the packet layout and
arithmetic as an exercise for the reader (cheaters may want to run
tcpdump on 'dig ns .' and examine the result), but the net result is
what Iljitsch said: you can only fit about 13 servers into a response.

--Steve Bellovin, http://www.research.att.com/~smb

Crist_Clark1 · December 17, 2004, 1:18am

Steven M. Bellovin wrote:

Suzanne_Woolf · December 17, 2004, 1:54am

Just because I feel like splitting hairs....

You're both right. As far as we (ISC) can tell, there are lots of
resolvers that authoritative servers can't send big packets to because
they don't grok EDNS0. There are also lots of resolvers that grok
EDNS0 behind firewalls that don't. Big fun can occur when the resolver
indicates EDNS0-compliance from behind such a firewall and keeps
asking because it thinks it's not getting answers....For extra credit,
try to deploy DNSSEC in this reality.

It's not for nothing that we speak of extending the DNS protocol as
"rebuilding the airplane in flight" around here....

Alon_Tirosh1 · December 17, 2004, 2:01am

To add, there are also a lot of edge appliances (Company C appliances
that start with P) that block 53/tcp >= 512B by default without admins
realizing, hence EDNS gets actively blocked while normal DNS traffic
works (this is a major issue for Enterprise Windows Admins.)

_Stephane_Bortzmeyer · December 17, 2004, 11:20am

a message of 26 lines which said:

I'll leave the packet layout and arithmetic as an exercise for the
reader

This has been already done

http://w6.nic.fr/dnsv6/resp-size.html

Valdis_Kletnieks · December 17, 2004, 5:04pm

You're new here, aren't you?

It happens *all* *the* *time* (probably just as often as sites that block
all ICMP including 'frag needed' and wonder why PMTU Discovery breaks and
connections hang).

The *real* operational problem is that almost 100% of the time that there's
a firewall blocking 53/tcp, the person running the firewall is (a) unaware
that it's blocking it and (b) doesn't even realize that DNS *can* use TCP....

Quite often, there's even a "(c) they don't even know they have a firewall" just
to make things really interesting.

Douglas_K_Fischer · December 23, 2004, 6:14pm

One of the most common misconceptions I've encountered and had heated debates with some would-be admins is the belief that the only "proper" use of 53/tcp for DNS is for zone transfers. For that reason they explicitly block 53/tcp in their firewalls. Same thing with that good old misconception that all forms of ICMP are evil and should be blocked.

Doug