[Pdns-users] [Help] Increase DNS UDP Message Size

Stefan Schmidt zaphodb at zaphods.net
Mon Nov 12 17:05:28 UTC 2012


On Mon, Nov 12, 2012 at 10:48 AM, Đức Vinh Hồ <vinh.ho2110 at gmail.com> wrote:

> Hi all,
>

Hi there,


> My website is using PDNS round robin with too many servers pointed to 1
> domain name. I mean:
>
>      Name                                  Type                 Content
>     abc.com                                A                   X.X.X.1
>     abc.com                                A                   X.X.X.2
> .....
>     abc.com                                A                   X.X.X.50
> .....
>
> Couple of days ago, my boss complain me that sometime, he can't access the
> website at night.
> After many research, i found that a DNS message carried in UDP *cannot*exceed 512 bytes.
> When a UDP DNS message exceeds 512 octets/bytes, the *TRUNCATED* bit is
> included in the response, indicating to the client/resolver that not all of
> the answers were returned, and they should re-query using a TCP DNS
> message. I thinks my DNS round robin records is too large. And that is the
> main cause of my problem
>
> So, can you show me how to increase the PDNS UDP message size, or some
> solution to make sure PDNS ok
>

It is correct that regular UDP DNS responses cannot exceed 512 bytes,
however nowadays most clients (that is usually recursive dns servers such
as google dns for example) make use of a DNS extension header format called
EDNS or EDNS0. See http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS.
Depending on which version of PowerDNS you use it already does support
EDNS0 for a long time as it is needed for DNSSEC operations. And it is also
very likely that most recursive DNS servers speak EDNS0 as well. This
probably mitigates your issue but due to this being a protocol limitation
there is no workaround for it other than limiting the number of IP
addresses in your round-robin-record or making sure all recursive DNS
servers your clients use are EDNS0 capable. Also some firewalls such as
Cisco ASA in earlier default configurations are known drop DNS responses
that are larger than the 512 byte limit.

Otherwise, I check in my PDNS log, here many error phrase:
>
> Nov 12 14:01:44 my-server pdns[23075]: Received a malformed qdomain from
> 74.125.191.19, '*%**20*abc.com <http://20abc.com> <http://20abc.com>':
> sending servfail
> Nov 12 14:01:54 my-server pdns[23075]: Received a malformed qdomain from
> 74.125.191.26, '*%**20*abc.com <http://20abc.com> <http://20abc.com>':
> sending servfail
> Nov 12 14:01:54 my-server pdns[23075]: Received a malformed qdomain from
> 74.125.191.17, '*%**20*abc.com <http://20abc.com> <http://20abc.com>':
> sending servfail
>
> Nov 12 14:02:14 my-server pdns[23075]: Received a malformed qdomain from
> 74.125.191.20, 'xyz*,.*com': sending servfail
> Nov 12 14:02:24 my-server pdns[23075]: Received a malformed qdomain from
> 74.125.191.26, ''xyz*,.*com': sending servfail
> Nov 12 14:02:24 my-server pdns[23075]: Received a malformed qdomain from
> 74.125.191.16, ''xyz*,.*com': sending servfail
>
> After some check, i found that range IP 74.125.191.x is from google
> server, but i think there are some mistake here, because my website domain
> is abc.com, not *%20*abc.com (%20 = space)
> And other of my company website is xyz.com, not xyz*,.*com
>
> Can someone help me to explain what is the log mean !
>

By this message PowerDNS just means to say the same thing that you already
stated, which is that it is getting queries for '%20abc.com' and 'xyz,.com'
which quite simply is a misspelling of your domain names and thus plain
wrong per PowerDNS. PowerDNS resorts to sending a Server Failure response
here because the query it receives is malformed. Usually this is caused by
broken client libraries. When i ran PowerDNS server (auth) in front of
PowerDNS recursor for a while witnessed all kinds of weird queries by DSL
clients such as queries for 'http://www.something.tld' for example.
You can safely ignore those log entries.
As far as i know most these messages have been silenced in later PowerDNS
releases.

best regards,

 Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20121112/bf646887/attachment-0001.html>


More information about the Pdns-users mailing list