Anycast 101

No, firewalls have nothing to do with it. Section 4.2.1 of RFC 1035

   Messages carried by UDP are restricted to 512 bytes (not counting the IP
   or UDP headers).

There's a large installed base of machines that conform to that limit
and don't understand EDNS0. I'll leave the packet layout and
arithmetic as an exercise for the reader (cheaters may want to run
tcpdump on 'dig ns .' and examine the result), but the net result is
what Iljitsch said: you can only fit about 13 servers into a response.

    --Steve Bellovin,

Steven M. Bellovin wrote:

Just because I feel like splitting hairs....

You're both right. As far as we (ISC) can tell, there are lots of
resolvers that authoritative servers can't send big packets to because
they don't grok EDNS0. There are also lots of resolvers that grok
EDNS0 behind firewalls that don't. Big fun can occur when the resolver
indicates EDNS0-compliance from behind such a firewall and keeps
asking because it thinks it's not getting answers....For extra credit,
try to deploy DNSSEC in this reality.

It's not for nothing that we speak of extending the DNS protocol as
"rebuilding the airplane in flight" around here....

To add, there are also a lot of edge appliances (Company C appliances
that start with P) that block 53/tcp >= 512B by default without admins
realizing, hence EDNS gets actively blocked while normal DNS traffic
works (this is a major issue for Enterprise Windows Admins.)

a message of 26 lines which said:

I'll leave the packet layout and arithmetic as an exercise for the

This has been already done :slight_smile:

You're new here, aren't you? :wink:

It happens *all* *the* *time* (probably just as often as sites that block
all ICMP including 'frag needed' and wonder why PMTU Discovery breaks and
connections hang).

The *real* operational problem is that almost 100% of the time that there's
a firewall blocking 53/tcp, the person running the firewall is (a) unaware
that it's blocking it and (b) doesn't even realize that DNS *can* use TCP....

Quite often, there's even a "(c) they don't even know they have a firewall" just
to make things really interesting.

One of the most common misconceptions I've encountered and had heated debates with some would-be admins is the belief that the only "proper" use of 53/tcp for DNS is for zone transfers. For that reason they explicitly block 53/tcp in their firewalls. Same thing with that good old misconception that all forms of ICMP are evil and should be blocked.