Please add support to Mikrotik DNS the ability to pass EDNS packets (udp > 512 bytes). All the RouterOS boxes I test fail whereas hitting the resolver directly causes a pass.
https://www.dns-oarc.net/oarc/services/replysizetest
Thx,
Sam
Re: EDNS Not Implemented?
How did you test it Sam?
I was having this issue today, but solved it changing the DNS server.
I was using the opendns server because my ISP server gave some
problems a couple of weeks ago. Today I was forced to switch again
at the ISP DNS server because I was not able to accesswww.google.com
I was having this issue today, but solved it changing the DNS server.
I was using the opendns server because my ISP server gave some
problems a couple of weeks ago. Today I was forced to switch again
at the ISP DNS server because I was not able to accesswww.google.com
Re: EDNS Not Implemented?
if you have a linux box handy you can run this:
dig +short rs.dns-oarc.net txt
It will give you some diags about packet sizes.
snorris@silver:~/mrtg$ dig +short rs.dns-oarc.net txt
rst.x1220.rs.dns-oarc.net.
rst.x1202.x1220.rs.dns-oarc.net。
rst.x1243.x1202.x1220.rs.dns-oarc.net.
"68.15.4.39 DNS reply size limit is at least 1243 bytes"
"68.15.4.39 sent EDNS buffer size 1280"
Try that against a few servers and see what you get:
"dig @serverip +short rs.dns-oarc.net txt"
sam
dig +short rs.dns-oarc.net txt
It will give you some diags about packet sizes.
snorris@silver:~/mrtg$ dig +short rs.dns-oarc.net txt
rst.x1220.rs.dns-oarc.net.
rst.x1202.x1220.rs.dns-oarc.net。
rst.x1243.x1202.x1220.rs.dns-oarc.net.
"68.15.4.39 DNS reply size limit is at least 1243 bytes"
"68.15.4.39 sent EDNS buffer size 1280"
Try that against a few servers and see what you get:
"dig @serverip +short rs.dns-oarc.net txt"
sam
Re: EDNS Not Implemented?
Have you increased max-udp-packet-size on your MikroTik router in /ip dns configuration?
Re: EDNS Not Implemented?
Yes Sergejs, I tried to increase the udp packet size
and it looked like at first it solved the problem, but then
it happened again. I guess on that day there were a couple
of things causing the dns problems, server side, client side
who knows what else
.
After some hours it was back at normal
My current settings for the dns are
max-udp-packet-size=1024
cache-size=8192KiB
Until now no problems
and it looked like at first it solved the problem, but then
it happened again. I guess on that day there were a couple
of things causing the dns problems, server side, client side
who knows what else
.After some hours it was back at normal
My current settings for the dns are
max-udp-packet-size=1024
cache-size=8192KiB
Until now no problems
Re: EDNS Not Implemented?
Serejes,
Mikrotik HAS TO change the default from 512 to larger. The root servers will be signed here in a short time and everything related to DNS will get ackward, and cause Mikrotik TONS of support tickets and uproar. Change the default from 512 now before it's too late.
http://labs.ripe.net:80/content/prepari ... -root-zone
Mikrotik HAS TO change the default from 512 to larger. The root servers will be signed here in a short time and everything related to DNS will get ackward, and cause Mikrotik TONS of support tickets and uproar. Change the default from 512 now before it's too late.
http://labs.ripe.net:80/content/prepari ... -root-zone
Sam"One of the most visible changes that DNSSEC introduces is that DNS replies become bigger. Every resource record set (RRSet) is accompanied by a signature (RRSIG). In many cases, such responses will be bigger than 512 bytes in size"
Re: EDNS Not Implemented?
DNS responses are sometimes 4096 bytes. However, each individual packet will be only 1500 or whatever your MTU is. You should make the max-udp-packet-size your MTU or larger I assume. I would make it 4096 to account for both packet size and dns reply size. In the next year DNS packets will commonly be > 1024 or more.max-udp-packet-size=1024
cache-size=8192KiB
Sam
Re: EDNS Not Implemented?
Very helpful tip Sam.
Since I am not using any linux machine in my LAN
is there any way, different from what you described before
to investigate these dns packets? Can MikroTik do that?
Thank you, Toni
Since I am not using any linux machine in my LAN
is there any way, different from what you described before
to investigate these dns packets? Can MikroTik do that?
Thank you, Toni
Re: EDNS Not Implemented?
you should be able to still run dig on windows:
ftp://ftp.isc.org/isc/bind9/9.6.1-P2/BIND9.6.1-P2.zip
dig is part of the BIND distro, just unzip and move dig to somewhere on your windows box you can run it. same command line syntax should work on windows.
ftp://ftp.isc.org/isc/bind9/9.6.1-P2/BIND9.6.1-P2.zip
dig is part of the BIND distro, just unzip and move dig to somewhere on your windows box you can run it. same command line syntax should work on windows.
Re: EDNS Not Implemented?
I just tried that and it gave the following answer:
rst.x486.rs.dns-oarc.net.
rst.x454.x486.rs.dns-oarc.net.
rst.x384.x454.x486.rs.dns-oarc.net.
"208.69.34.6 DNS reply size limit is at least 486 bytes"
"208.69.34.6 lacks EDNS, defaults to 512"
Looks like it is within limits, is it?
rst.x486.rs.dns-oarc.net.
rst.x454.x486.rs.dns-oarc.net.
rst.x384.x454.x486.rs.dns-oarc.net.
"208.69.34.6 DNS reply size limit is at least 486 bytes"
"208.69.34.6 lacks EDNS, defaults to 512"
Looks like it is within limits, is it?
Re: EDNS Not Implemented?
thats not good, you want > 512. You should be getting > 1024, and even better > 4000.
Sam
The output should look something like this:
rst.x4001.rs.dns-oarc.net.
rst.x3985.x4001.rs.dns-oarc.net.
rst.x4023.x3985.x4001.rs.dns-oarc.net.
"192.168.1.1 sent EDNS buffer size 4096"
"192.168.1.1 DNS reply size limit is at least 4023 bytes"
Sam
The output should look something like this:
rst.x4001.rs.dns-oarc.net.
rst.x3985.x4001.rs.dns-oarc.net.
rst.x4023.x3985.x4001.rs.dns-oarc.net.
"192.168.1.1 sent EDNS buffer size 4096"
"192.168.1.1 DNS reply size limit is at least 4023 bytes"
Re: EDNS Not Implemented?
我想我现在明白了这个测试。
So this is testing the max packet size I can receive
and not the max packet size the dns server is sending, right?
Ok, I made the correction, restarted the firewall rule for redirecting
dns requests to the router itself (disabled/enabled) and now I got
the right answer I think:
rst.x4001.rs.dns-oarc.net.
rst.x3985.x4001.rs.dns-oarc.net.
rst.x4023.x3985.x4001.rs.dns-oarc.net.
"80.78.65.130 DNS reply size limit is at least 4023 bytes"
"80.78.65.130 sent EDNS buffer size 4096"
Very helpful, Sam, thanks a lot
So this is testing the max packet size I can receive
and not the max packet size the dns server is sending, right?
Ok, I made the correction, restarted the firewall rule for redirecting
dns requests to the router itself (disabled/enabled) and now I got
the right answer I think:
rst.x4001.rs.dns-oarc.net.
rst.x3985.x4001.rs.dns-oarc.net.
rst.x4023.x3985.x4001.rs.dns-oarc.net.
"80.78.65.130 DNS reply size limit is at least 4023 bytes"
"80.78.65.130 sent EDNS buffer size 4096"
Very helpful, Sam, thanks a lot
Re: EDNS Not Implemented?
Thanks God, RouterOS do not do requests to the root servers - it's not recursive serverThe root servers will be signed here in a short time and everything related to DNS will get ackward, and cause Mikrotik TONS of support tickets and uproar. Change the default from 512 now before it's too late.
Re: EDNS Not Implemented?
Just received this email from the South African co.za administrators but does it apply to Mikrotik?
Code:Select all
As of earlier this month, ICANN have started signing the root zone in an offline process (ie not in a live manner). This will gradually be phased in through the course of 2010, starting in January, and culminating in a fully live signed root zone in July 2010. Technically, this means that replies to queries to the root name servers will exceed 512 bytes. This may cause problems for some resolving software that does not support EDNS0, or resolvers that sit behind misconfigured firewalls that arbitrarily enforce a 512 limit on DNS traffic. There are also cases involving the handling of IP fragmentation where problems can occur. You should check that your resolving infrastructure can handle this issue - https://www.dns-oarc.net/oarc/services/replysizetest for a methodology. You may also wish to pass this on to your clients, particularly those who run their own resolving infrastructure, and/or firewalls. Definitive website: http://www.root-dnssec.org/ More details can be found at: http://labs.ripe.net/content/preparing-k-root-signed-root-zone Inpact on end-user kit: http://download.nominet.org.uk/dnssec-cpe/DNSSEC-CPE-Report.pdf Best timeline for events: http://www.ripe.net/ripe/meetings/ripe-59/presentations/abley-signed-root.pdfRe: EDNS Not Implemented?
It is not point if MT can query DNSEC, but if it has UDP packets limited to 512 bytes, DNSEC packets, whoever sends them, would not be able not pass through.Thanks God, RouterOS do not do requests to the root servers - it's not recursive server