Limiting the effects of fragmentation on the DNS

Operators of authoritative DNS servers for a .LU domain and resolver operators in the Grand Duchy are invited to validate the configuration of their servers as part of the DNS Flag Day 2020, an initiative that aims to limit the effects of the fragmentation of DNS packets on October 1st 2020.

As the registry of the country code Top Level Domain (ccTLD) for Luxembourg, the Restena Foundation’s DNS-LU service supports the DNS Flag Day 2020. This initiative, led by the international community of DNS (Domain Name System) stakeholders, will take place on October 1st 2020 and focus on issues related to IP fragmentation of DNS packets. Each data packet transferred over the network has indeed a maximum size defined by the Maximum Transfer Unit (MTU). When this MTU, which varies according to the transport technology (fibre, ADSL, satellite, Wi-Fi, etc.) is exceeded, the packet is fragmented into one or more pieces.

Performance, reliability and security of exchanges

To share packets of information between a client and a server, the DNS uses two transport protocols: UDP (User Datagram Protocol) by default, and TCP (Transmission Control Protocol) which, unlike UDP, creates a transport session. This transport session mechanism allows to eventually split a large response from the server into multiple packets that are later reordered and concatenated back together on their arrival following a client request. However, this fragmentation may raise performance and reliability issues as well as security issues. Not only do some devices, such as firewalls, tend to suppress the subsequent truncated packets as they do not necessarily know how to correctly analyze them, but some attacks also aim to inject false malicious subsequent packets when the response is reconstructed.

The use of fragmentation (and therefore TCP) is essential for the proper functioning of the "modern" DNS, particularly when the DNSSEC (Domain Name System Security Extensions) technology is in use to protect zone data of a domain name thanks to cryptographic keys. Unfortunately, some authoritative servers, where this data is stored to be retrieved via the DNS protocol, only use the UDP protocol and totally neglect both the needs and constraints of TCP.

Furthermore, some authoritative servers and servers acting as resolvers (i.e. querying authoritative servers to resolve the user's request) are configured (via the "EDNS buffer size" parameter) to allow the exchange of data packets over UDP larger than the MTU of some communication links. As these packets cannot be fragmented, the network simply deletes them. In absence of response from the server, the client will wait for a 'time-out' before trying to send its request again, leading to a significant loss of time before receiving a correct response.

General recommendations and impact on .lu

To address this issue, minor but significant recommendations in the configuration of the DNS servers are promoted as of October 1st 2020. Two changes directly concern DNS server administrators: respect and configure the "EDNS buffer size" to a minimum of 1232 bytes to ensure compatibility with all current transmission technologies, and ensure that their DNS servers supports both UPD and TCP protocols.

In Luxembourg, the non-compliance of DNS servers operating under the .lu root is low: 96% of operators have an optimal configuration. Only 4% of servers under the .LU, managed by nearly sixty DNS operators, may suffer from performance and reliability issues due to fragmentation as of October 1st 2020. The Restena Foundation’s DNS-LU team has contacted them with several recommendations to follow.

ᐅ All DNS operators with domain names under .LU are invited to check their configurations and test the proper functioning of their servers and resolvers using the test tools accessible on the DNS Flag Day website and to implement the relevant configuration changes if needed.

Quick-Links

Connect yourself to

my.lu logo

my.lu enables you to manage your .lu domain names online - anytime, anywhere

__.lu logo

Read about progressive opening of 1 and 2-character domain names

dns.lu - aspects techniques et juridiques des noms de domaine