Evaluating DNS Resiliency and Responsiveness with Truncation, Fragmentation & DoTCP Fallback

TL;DR

This study analyzes the resiliency and responsiveness of DNS over TCP and UDP, focusing on fragmentation issues and fallback behaviors across IPv4 and IPv6, based on extensive measurements from RIPE Atlas probes.

Contribution

It provides a comprehensive measurement-based evaluation of DNS resiliency, response sizes, and fallback practices, highlighting fragmentation risks and protocol behaviors in real-world conditions.

Findings

Most resolvers show similar resiliency for DoTCP and DoUDP.

Some resolvers announce large EDNS(0) buffer sizes, risking fragmentation.

Resolvers often do not fallback to DoTCP despite large response sizes.

Abstract

Since its introduction in 1987, the DNS has become one of the core components of the Internet. While it was designed to work with both TCP and UDP, DNS-over-UDP (DoUDP) has become the default option due to its low overhead. As new Resource Records were introduced, the sizes of DNS responses increased considerably. This expansion of message body has led to truncation and IP fragmentation more often in recent years where large UDP responses make DNS an easy vector for amplifying denial-of-service attacks which can reduce the resiliency of DNS services. This paper investigates the resiliency, responsiveness, and usage of DoTCP and DoUDP over IPv4 and IPv6 for 10 widely used public DNS resolvers. In these experiments, these aspects are investigated from the edge and from the core of the Internet to represent the communication of the resolvers with DNS clients and authoritative name servers. Overall, more than 14M individual measurements from 2527 RIPE Atlas Probes have been analyzed, highlighting that most resolvers show similar resiliency for both DoTCP and DoUDP. While DNS Flag Day 2020 recommended 1232 bytes of buffer sizes yet we find out that 3 out of 10 resolvers mainly announce very large EDNS(0) buffer sizes both from the edge as well as from the core, which potentially causes fragmentation. In reaction to large response sizes from authoritative name servers, we find that resolvers do not fall back to the usage of DoTCP in many cases, bearing the risk of fragmented responses. As the message sizes in the DNS are expected to grow further, this problem will become more urgent in the future.