[Pdns-users] [Help] Increase DNS UDP Message Size

ktm at rice.edu ktm at rice.edu
Mon Nov 12 17:21:03 UTC 2012

On Mon, Nov 12, 2012 at 06:05:28PM +0100, Stefan Schmidt wrote:
> On Mon, Nov 12, 2012 at 10:48 AM, Đức Vinh Hồ <vinh.ho2110 at gmail.com> wrote:
> > Hi all,
> >
> Hi there,
> > My website is using PDNS round robin with too many servers pointed to 1
> > domain name. I mean:
> >
> >      Name                                  Type                 Content
> >     abc.com                                A                   X.X.X.1
> >     abc.com                                A                   X.X.X.2
> > .....
> >     abc.com                                A                   X.X.X.50
> > .....
> >
> > Couple of days ago, my boss complain me that sometime, he can't access the
> > website at night.
> > After many research, i found that a DNS message carried in UDP *cannot*exceed 512 bytes.
> > When a UDP DNS message exceeds 512 octets/bytes, the *TRUNCATED* bit is
> > included in the response, indicating to the client/resolver that not all of
> > the answers were returned, and they should re-query using a TCP DNS
> > message. I thinks my DNS round robin records is too large. And that is the
> > main cause of my problem
> >
> > So, can you show me how to increase the PDNS UDP message size, or some
> > solution to make sure PDNS ok
> >
> It is correct that regular UDP DNS responses cannot exceed 512 bytes,
> however nowadays most clients (that is usually recursive dns servers such
> as google dns for example) make use of a DNS extension header format called
> EDNS or EDNS0. See http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS.
> Depending on which version of PowerDNS you use it already does support
> EDNS0 for a long time as it is needed for DNSSEC operations. And it is also
> very likely that most recursive DNS servers speak EDNS0 as well. This
> probably mitigates your issue but due to this being a protocol limitation
> there is no workaround for it other than limiting the number of IP
> addresses in your round-robin-record or making sure all recursive DNS
> servers your clients use are EDNS0 capable. Also some firewalls such as
> Cisco ASA in earlier default configurations are known drop DNS responses
> that are larger than the 512 byte limit.


To add to Stefan's response, since you have no control over how broken
the DNS infrastructure is that is talking to your system, you need to
address the lowest common denominator and restrict your round-robin
DNS record to 512-bytes just like the big boys: Google, Yahoo,...


More information about the Pdns-users mailing list