[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: Unable to parse mx record for epd.gov.hk



After I modified it to 1232 bytes , the MX record  result can be resolved normally, but other records(A CNAMED...) have problems in parsing, and sometimes A records will be returned soa  records .

$ dig  mail2.epd.gov.hk @8.8.8.8

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> mail2.epd.gov.hk @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43528
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mail2.epd.gov.hk. IN A

;; AUTHORITY SECTION:
epd.gov.hk. 91 IN SOA ns1.hk.net. hostmaster.citictel-cpc.com. 2019111802 10800 3600 604800 600

;; Query time: 98 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Nov 18 15:03:16 CST 2019
;; MSG SIZE  rcvd: 118

$ dig  mail2.epd.gov.hk @1.1.1.1

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> mail2.epd.gov.hk @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 654
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;mail2.epd.gov.hk. IN A

;; ANSWER SECTION:
mail2.epd.gov.hk. 600 IN A 202.73.1.100

;; Query time: 566 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Nov 18 15:08:03 CST 2019
;; MSG SIZE  rcvd: 61




Alex Dupuy於 2019年11月16日星期六 UTC+8上午7時10分35秒寫道:
The issue with the MX queries for epd.gov.hk. is that the responses with DNSSEC enabled are quite large, and with the default EDNS0 4096 buffer size that Google Public DNS is currently using, the responses from ns1.hk.net and ns2.hk.net are fragmented and the Google Public DNS resolvers never receive them.

$ dig +tcp +dnssec +nocrypto +noall +stats mx epd.gov.hk @ns1.hk.net
;; Query time: 191 msec
;; SERVER: 152.101.179.98#53(152.101.179.98)
;; WHEN: Fri Nov 15 17:21:43 EST 2019
;; MSG SIZE  rcvd: 2418
$ dig +dnssec +nocrypto +noall +stats mx epd.gov.hk @ns1.hk.net
;; connection timed out; no servers could be reached

As part of DNS Flag Day 2020, recursive resolvers can reduce problems due to blocked UDP DNS fragments by restricting the EDNS0 buffer size to 1232, and authoritative servers can help too, by limiting their response sizes to 1232 even if the client has asked for a larger response.

$ dig +bufsize=1232 +dnssec +nocrypto +noall +stats mx epd.gov.hk @ns2.hk.net
;; Query time: 202 msec
;; SERVER: 152.101.179.98#53(152.101.179.98)
;; WHEN: Fri Nov 15 17:24:19 EST 2019
;; MSG SIZE  rcvd: 1076

While there is currently no configuration for Google Public DNS that would allow us to force all queries to these two name servers to use smaller EDNS0 buffer size, we could mitigate the problem by switching to using TCP for all queries.

Alternately, and more efficiently, it may be possible to configure these two name servers to limit their responses to 1232 bytes (this can usually be done by just omitting optional records from the Additional section).

https://dnsflagday.net/2020/#how-to-test has instructions for some popular open source DNS authoritative name servers (listed below), and if the operators of the ns[12].hk.net name servers can apply one of these, it would solve the problem.

BIND
options {
  max-udp-size 1232;
};

Knot DNS
server:
  max-udp-payload: 1232

PowerDNS Authoritative
udp-truncation-threshold=1232

NSD
server:
  ipv4-edns-size: 1232
  ipv6-edns-size: 1232


--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/6fb43c5f-6055-42ac-8d26-415f2bea64df%40googlegroups.com.