DNSSEC and UDP buffer size

cwadge · May 3, 2010, 5:57 PM

DNSMASQ does support EDNS. See: http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

The problem in my case was that dnsmasq is throwing away larger than expected UDP replies. Since the reasonable size of a DNS query prior to [stupid] DNSSec is ~512b, the dnsmasq default max value of 1280 was sane. Now that they can potentially surpass 3k and still be legitimate DNS responses, the limit has been raised to 4096 by default in recent builds of dnsmasq. Still, the binary doesn't need to be updated to apply this change. I've tested and confirmed that it works as expected on dnsmasq 2.45 just by setting the config option 'edns-packet-max=4096' either in its config or as an argument at launch.

For further reference:

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2010q2/003896.html

mhab12 · May 4, 2010, 6:32 PM

Where is the DNSMasq conf file located in pfsense?

jimp · May 4, 2010, 6:45 PM

@mhab12:

Where is the DNSMasq conf file located in pfsense?

pfSense only uses command line parameters for dnsmasq, not a configuration file.

mhab12 · May 4, 2010, 7:32 PM

Is there any way to pass the larger packet size to dnsmasq via shell or some other conf file at startup?

jimp · May 4, 2010, 7:36 PM

If you really want to change it, you can edit line 639 of /etc/inc/services.inc to read:

mwexec("/usr/local/sbin/dnsmasq --all-servers --edns-packet-max=4096 {$args}");

Though thus far I haven't seen evidence that it will really break without that setting. If it does break, it should be easy to produce a patch or update for that simple change.

mhab12 · May 4, 2010, 7:45 PM

Exactly what I was looking for - thank you!

cwadge · May 5, 2010, 1:07 AM

@jimp:

…Though thus far I haven't seen evidence that it will really break without that setting. If it does break, it should be easy to produce a patch or update for that simple change.

Since EDNS is already supported in dnsmasq some DNSSec queries will work, as they come in at under the 1280b payload size expected by dnsmasq's default EDNS value. Others, for instance some signed zones in the .gov and .org TLD's, use much closer to the 4k ceiling defined in RFC2671.

jimp · May 5, 2010, 1:25 AM

I added a very simple package that just applies a patch that makes the change I mentioned. If you find you need it, just install the "dnsmasq EDNS size increase" package that should show up momentarily in the package repo.

cwadge · May 5, 2010, 2:18 AM

@jimp:

I added a very simple package that just applies a patch that makes the change I mentioned. If you find you need it, just install the "dnsmasq EDNS size increase" package that should show up momentarily in the package repo.

Thanks for the quick patch, Jim. I'm sure that will help people out as new and exciting DNS issues begin to arise.

ezat · May 5, 2010, 2:24 AM

@jimp:

I added a very simple package that just applies a patch that makes the change I mentioned. If you find you need it, just install the "dnsmasq EDNS size increase" package that should show up momentarily in the package repo.

Thanks for the patch. Bit of an issue though.

1.2.3

Parse error: syntax error, unexpected '-', expecting '(' in /usr/local/pkg/dnsmasq-edns.inc on line 3

jimp · May 5, 2010, 2:41 AM

Try again in about 5-10 minutes. I just checked in a fix.