On 2022-03-27 07:05, Stuart Henderson wrote:
On 2022-03-27, Peter J. Philipp <p...@delphinusdns.org> wrote:
Some fun facts about DNS. A DNS packet can be 0xffff hex (or 65535 bytes dec)
maximally. This is true for TCP DNS packets which serve an unsigned short
indicator of length before the packet segment. With UDP it's a bit different
a UDP packet can be maximally 65535 bytes long but often the MTU of the
interface doesn't allow this much room so it fragments at the IP layer if the
MTU is below that value. There is a constraint in UDP DNS keeping it to 512
bytes without EDNS set, it can be increased with an EDNS header. Usually the
value for this is 4096 but over time it has been reduced to 1232 which was
invented at a dns flag day which was a community event with the dns community.
TL;DR: with OpenBSD current resolver settings I suggest leaving it alone.
The reason for this general change to 1232 is to avoid fragmentation
and MTU blackholes - e.g. if the internet connection goes over a 1492
MTU pppoe connection and a restrictive firewall somewhere drops the
frag-needed message, the lookup can fail.
This generally doesn't apply to TCP as often because most typical
connections with restricted MTU are behind routers that adjust MSS in
TCP SYN packets to avoid fragmentation.
OpenBSD's system resolver still uses 4096 though (MAXPACKETSZ in
libc/asr/asr_private.h). Now, for queries against localhost that's not
going to be an issue as the default MTU on loopback on OpenBSD is
32768 bytes. But on the other hand, the latency is low so 3-way
handshake is going to be very quick anyway, so there's little point.
If you're querying a resolver on the internet over a MTU smaller
than the DNS server's (as is the case with many standard internet
connections) doing a query with the edns0 buffer size set to 4096
could easily cause problems with some large responses. But you won't
notice anything wrong unless you actually do such a query, probably
long after you touched the setting.
Hi Peter and Stuart,
Apologies for my late reply! Thanks to both of you for your detailed
answers. I believe I will leave things as they are.
For people reading this thread ...
/etc/resolv.conf is the traditional file for configuring the system
resolver(s) while /etc/resolvd.conf is the configuration file for the
resolvd *daemon*, which is also involved in the configuration of the
system resolver(s).
From: man resolvd
"resolvd handles the contents of /etc/resolv.conf... [resolvd] monitors
the routing sockets from proposals from dhclient(8), dhcpleased(8) ... etc."
- J
