On 2022-03-27, Peter J. Philipp <p...@delphinusdns.org> wrote: > Some fun facts about DNS. A DNS packet can be 0xffff hex (or 65535 bytes dec) > maximally. This is true for TCP DNS packets which serve an unsigned short > indicator of length before the packet segment. With UDP it's a bit different > a UDP packet can be maximally 65535 bytes long but often the MTU of the > interface doesn't allow this much room so it fragments at the IP layer if the > MTU is below that value. There is a constraint in UDP DNS keeping it to 512 > bytes without EDNS set, it can be increased with an EDNS header. Usually the > value for this is 4096 but over time it has been reduced to 1232 which was > invented at a dns flag day which was a community event with the dns community.
TL;DR: with OpenBSD current resolver settings I suggest leaving it alone. The reason for this general change to 1232 is to avoid fragmentation and MTU blackholes - e.g. if the internet connection goes over a 1492 MTU pppoe connection and a restrictive firewall somewhere drops the frag-needed message, the lookup can fail. This generally doesn't apply to TCP as often because most typical connections with restricted MTU are behind routers that adjust MSS in TCP SYN packets to avoid fragmentation. OpenBSD's system resolver still uses 4096 though (MAXPACKETSZ in libc/asr/asr_private.h). Now, for queries against localhost that's not going to be an issue as the default MTU on loopback on OpenBSD is 32768 bytes. But on the other hand, the latency is low so 3-way handshake is going to be very quick anyway, so there's little point. If you're querying a resolver on the internet over a MTU smaller than the DNS server's (as is the case with many standard internet connections) doing a query with the edns0 buffer size set to 4096 could easily cause problems with some large responses. But you won't notice anything wrong unless you actually do such a query, probably long after you touched the setting. -- Please keep replies on the mailing list.
