May 3, 2018 · DNS 本文字数: 539 阅读时长:3 min 全站字数:345.6k

为什么DNS的UDP包有512字节的限制

  1. 问题
  2. 原因
  3. 更大的UDP包支持
  4. 参考资料

问题

In DNS Protocol design, UDP transport Block size (payload size) has been limited to 512-Bytes to optimize performance whilst generating minimal network traffic.

原因

The 512 byte payload guarantees that DNS packets can be reassembled if fragmented in transit. Also, generally speaking there’s less chance of smaller packets being randomly dropped.

即使被IP分片,dns包也不会分开。不会丢包。最小化网络流量并提高性能。

The IPv4 standard specifies that every host must be able to reassemble packets of 576 bytes or less. With an IPv4 header (20 bytes, though it can be as high as 60 bytes w/ options) and an 8 byte UDP header, a DNS packet with a 512 byte payload will be smaller than 576 bytes.

IPv4协议

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Total Length:  16 bits
Total Length is the length of the datagram, measured in octets,
including internet header and data. This field allows the length of
a datagram to be up to 65,535 octets. Such long datagrams are
impractical for most hosts and networks. All hosts must be prepared
to accept datagrams of up to 576 octets (whether they arrive whole
or in fragments). It is recommended that hosts only send datagrams
larger than 576 octets if they have assurance that the destination
is prepared to accept the larger datagrams.

The number 576 is selected to allow a reasonable sized data block to
be transmitted in addition to the required header information. For
example, this size allows a data block of 512 octets plus 64 header
octets to fit in a datagram. The maximal internet header is 60
octets, and a typical internet header is 20 octets, allowing a
margin for headers of higher level protocols.

https://tools.ietf.org/html/rfc791 Total Length说明

As @RyanRies says: DNS can use TCP for larger payloads and for zone transfers and DNSSEC. There’s a lot more latency when TCP comes into play because, unlike UDP, there’s a handshake between the client and server before any data begins to flow.

A related note: the reason there will always be 13 root DNS resolver names (a.root-servers.net through m.root-servers.net) is because that is the maximum number that can fit in a DNS response to a query for the root without exceeding the 512 byte limit. Thus, even as we add more physical servers to the root DNS infrastructure, logically there will always remain thirteen root servers. –

更大的UDP包支持

Modern DNS is not actually limited to 512 bytes payload for UDP anymore.

With EDNS0 in use a larger payload size can be specified, which is also commonly the case for DNSSEC-aware clients.

The support for larger payloads over UDP has been a double-edged sword, however, it is in part the reason why using nameservers for amplification attacks has become more popular as you can achieve better amplification if the attacker uses a query that gets a large response.

参考资料

  1. See rfc2671 for the nitty-gritty details of EDNS0
  2. https://serverfault.com/questions/587625/why-dns-through-udp-has-a-512-bytes-limit