How to verify a clean network path for DNS resolution by recursive servers
- Updated on 21 Feb 2017
- 2 minutes to read
This article only applies to BIND version prior to 9.10
BIND 9.10 (and more recent) uses a different EDNS probing algorithm that doesn't work with the current set of existing rs.dns-oarc.net records. ISC does not currently know of any similar set of records that works with the more recent EDNS probing algorithms.
Here is how you verify that you have a clean network path that will handle DNS correctly, including EDNS and DNSSEC.
Do this dig on all hosts that are running recursive resolvers:
dig +short rs.dns-oarc.net txt
The output should look something like this:
rst.x4001.rs.dns-oarc.net.rst.x3985.x4001.rs.dns-oarc.net.rst.x4023.x3985.x4001.rs.dns-oarc.net."192.168.1.1 sent EDNS buffer size 4096""192.168.1.1 DNS reply size limit is at least 4023 byte
You should insure that your whole network infrastructure between your DNS servers and the internet meets the following:
- Supports IETF RFC 4035 (Protocol Modifications for the DNS Security Extensions)
- Supports EDNS0 (IETF RFC 2671)
- Allows IP fragments
- Allows UDP packets up to 4096 bytes for every hop between the DNS server and the Internet
- Permits port 53 traffic in both directions, both TCP & UDP
- Does not block ICMP to/from the DNS servers.
If you are using a DNS proxy, it must conform to IETF RFC 5626 (DNS proxy implementation guidelines):
- Resolvers must handle resource records (RRs) of unknown type transparently
- All requests and responses must be proxied, regardless of the values of the QTYPE and QCLASS fields
- All responses must be proxied, regardless of the TYPE and CLASS fields of any resource record therein
© 2001-2018 Internet Systems Consortium For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership. ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.