From 54c360631bb59007bd2c8d4f614dfdf09537c2cc Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Wed, 2 Jan 2019 14:31:20 +0100 Subject: [PATCH] rec: Lower default EDNS0 buffersizes This should prevent issues with networks that drop fragments, have broken PMTU detection, etc. This commit lowers both the udp-truncation-threshold (stub<->res) and edns-outgoing-bufsize (rec<->auths). --- pdns/pdns_recursor.cc | 4 ++-- pdns/recursordist/docs/settings.rst | 17 +++++++++++++++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 28360e42b..e921b38ec 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -4185,8 +4185,8 @@ int main(int argc, char **argv) ::arg().setSwitch( "any-to-tcp","Answer ANY queries with tc=1, shunting to TCP" )="no"; ::arg().setSwitch( "lowercase-outgoing","Force outgoing questions to lowercase")="no"; ::arg().setSwitch("gettag-needs-edns-options", "If EDNS Options should be extracted before calling the gettag() hook")="no"; - ::arg().set("udp-truncation-threshold", "Maximum UDP response size before we truncate")="1680"; - ::arg().set("edns-outgoing-bufsize", "Outgoing EDNS buffer size")="1680"; + ::arg().set("udp-truncation-threshold", "Maximum UDP response size before we truncate")="1232"; + ::arg().set("edns-outgoing-bufsize", "Outgoing EDNS buffer size")="1232"; ::arg().set("minimum-ttl-override", "Set under adverse conditions, a minimum TTL")="0"; ::arg().set("max-qperq", "Maximum outgoing queries per query")="50"; ::arg().set("max-total-msec", "Maximum total wall-clock time per query in milliseconds, 0 for unlimited")="7000"; diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 31f66737d..053160a83 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -419,8 +419,16 @@ found, the recursor fallbacks to sending 127.0.0.1. ``edns-outgoing-bufsize`` ------------------------- +.. versionchanged:: 4.2.0 + Before 4.2.0, the default was 1680 + - Integer -- Default: 1680 +- Default: 1232 + +.. note:: Why 1232? + + 1232 is the largest number of payload bytes that can fit in the smallest IPv6 packet. + IPv6 has a minumum MTU of 1280 bytes (:rfc:`RFC 8200, section 5 <8200#section-5>`), minus 40 bytes for the IPv6 header, minus 8 bytes for the UDP header gives 1232, the maximum payload size for the DNS response. This is the value set for the EDNS0 buffer size in outgoing packets. Lower this if you experience timeouts. @@ -1395,14 +1403,19 @@ See `udp-source-port-min`_. ``udp-truncation-threshold`` ---------------------------- +.. versionchanged:: 4.2.0 + Before 4.2.0, the default was 1680 + - Integer -- Default: 1680 +- Default: 1232 EDNS0 allows for large UDP response datagrams, which can potentially raise performance. Large responses however also have downsides in terms of reflection attacks. This setting limits the accepted size. Maximum value is 65535, but values above 4096 should probably not be attempted. +To know why 1232, see the note at :ref:`setting-edns-outgoing-bufsize`. + .. _setting-use-incoming-edns-subnet: ``use-incoming-edns-subnet`` -- 2.40.0