Evaluating DNS Resiliency with Truncation, Fragmentation and DoTCP Fallback.

Since its introduction in 1987, the DNS has become one of the Core components of the Internet. While it was designed to work with both TCP and UDP, DNS-over-UDP (DoUDP) has become the default option due to its low overhead. As new Resource Records were introduced, the sizes of DNS responses increased considerably. This expansion of message body has led to truncation and IP fragmentation more often in recent years where large UDP responses make DNS an easy vector for amplifying denial-of-service attacks which can reduce the resiliency of DNS services. This paper investigates the resiliency and usage of DoTCP and DoUDP over IPv4 and IPv6 for 10 widely used public DNS resolvers. In three experiments, these aspects are investigated from the Edge and from the Core of the Internet to represent the communication of the resolvers with DNS clients and authoritative name server. Overall, more than 14M individual measurements performed from 2500 RIPE Atlas Probes have been analyzed, highlighting that most resolvers show similar resiliency for both DoTCP and DoUDP. Yet, 3 out of 10 resolvers mainly announce very large EDNS(0) buffer sizes both from the Edge as well as from the Core, which potentially causes fragmentation. In reaction to large response sizes from authoritative name servers, we find that resolvers do not fall back to the usage of DoTCP in many cases, bearing the risk of fragmented responses. As the message sizes in the DNS are expected to grow further, this problem will become more urgent in the future.