On 2022-03-27 07:05, Stuart Henderson wrote:
> On 2022-03-27, Peter J. Philipp <pjp@delphinusdns.org> wrote:
>> Some fun facts about DNS. A DNS packet can be 0xffff hex (or 65535 bytes dec)
>> maximally. This is true for TCP DNS packets which serve an unsigned short
>> indicator of length before the packet segment. With UDP it's a bit different
>> a UDP packet can be maximally 65535 bytes long but often the MTU of the
>> interface doesn't allow this much room so it fragments at the IP layer if the
>> MTU is below that value. There is a constraint in UDP DNS keeping it to 512
>> bytes without EDNS set, it can be increased with an EDNS header. Usually the
>> value for this is 4096 but over time it has been reduced to 1232 which was
>> invented at a dns flag day which was a community event with the dns community.
>
> TL;DR: with OpenBSD current resolver settings I suggest leaving it alone.
>
> The reason for this general change to 1232 is to avoid fragmentation
> and MTU blackholes - e.g. if the internet connection goes over a 1492
> MTU pppoe connection and a restrictive firewall somewhere drops the
> frag-needed message, the lookup can fail.
>
> This generally doesn't apply to TCP as often because most typical
> connections with restricted MTU are behind routers that adjust MSS in
> TCP SYN packets to avoid fragmentation.
>
> OpenBSD's system resolver still uses 4096 though (MAXPACKETSZ in
> libc/asr/asr_private.h). Now, for queries against localhost that's not
> going to be an issue as the default MTU on loopback on OpenBSD is
> 32768 bytes. But on the other hand, the latency is low so 3-way
> handshake is going to be very quick anyway, so there's little point.
>
> If you're querying a resolver on the internet over a MTU smaller
> than the DNS server's (as is the case with many standard internet
> connections) doing a query with the edns0 buffer size set to 4096
> could easily cause problems with some large responses. But you won't
> notice anything wrong unless you actually do such a query, probably
> long after you touched the setting.
Hi Peter and Stuart,
Apologies for my late reply! Thanks to both of you for your detailed
answers. I believe I will leave things as they are.
For people reading this thread ...
/etc/resolv.conf is the traditional file for configuring the system
resolver(s) while /etc/resolvd.conf is the configuration file for the
resolvd *daemon*, which is also involved in the configuration of the
system resolver(s).
From: man resolvd
"resolvd handles the contents of /etc/resolv.conf... [resolvd] monitors
the routing sockets from proposals from dhclient(8), dhcpleased(8) ... etc."
- J
No comments:
Post a Comment