DNS packet size -- what's the correct size

David Nolan vitroth+ at cmu.edu
Sun Sep 30 18:17:35 UTC 2007

--On September 30, 2007 9:15:10 AM -0700 Rob Tanner <rtanner at linfield.edu> 

> Hi,
> It's my understanding that the max DNS packet size is 512 bytes and that
> is apparently what Cisco thinks because our firewall is blocking DNS
> packets over that size, calling them malformed.  The problem is that we
> see numerous such packets and the real puzzler is that many of them are
> originate with core servers.
> The issue is getting serious because there are some sites for which I
> can't resolve addresses from on campus, but use an external name server
> and those same sites resolve perfectly.  And, of course, I'm concerned
> that this problem is related the dropping of over sized packets by the
> firewall.
> Is Cisco's default limit too small?  Can someone explain to me what
> might be going on.

Cisco's default limit for UDP DNS packets is historical and no longer 
accurate.  As of RFC 2671, published in 1999, there has been a mechanism 
for servers to communicate DNS responses larger then 512 bytes without 
reverting to TCP.  (TCP DNS responses were the way to work around the 
limit, but involve the significantly higher overhead of establishing TCP 

The servers communicate this capability to each other with extension flags 
set within the DNS query & response packets.  A firewall which filters 
large UDP DNS packets without clearing this flag in DNS packets that pass 
through it will cause problems to the servers.  See this URL for some 
suggestions for avoiding this problem


-David Nolan
 Network Software Designer
 Computing Services
 Carnegie Mellon University

More information about the bind-users mailing list