OARC's DNS Reply Size Test Server

Recent increases in DNSSEC deployment are exposing problems  with DNS resolvers that cannot receive large responses.
The maximum reply size between a DNS server and resolver may be limited by a number of factors:

  • If a resolver does not support the Extension Mechanisms for DNS (EDNS), replies are limited to 512 bytes.
  • The resolver may be behind a firewall that blocks IP fragments.
  • Some DNS-aware firewalls block responses larger than 512 bytes.
The BIND resolver, since version 9.5.0, includes a feature to decrease its advertised EDNS receive buffer size (down to 512) when its queries time out. We've seen this lead to significant increases in TCP for DNSSEC-signed zones.
DNS-OARC built the DNS Reply Size Test Server to help users identify resolvers that cannot receive large DNS replies.
Web-Link: DNS-ORAC - Website