DNS Response Flags and UDP Payload Size being Modified by ADC in DNS Proxy Mode
Article ID: CTX255205
Updated On:
Description
When ADC is deployed in DNS Proxy Mode i.e LoadBalancing DNS Servers, some alterations are seen in Recursion Available Flag and the UDP Payload size in EDNS header.
Client == DNS Query === > LB
UDP Payload Size in EDNS header 4096
SNIP == DNS Query === > Real Server
UDP Payload Size in EDNS header 1280 (Modified by ADC)
SNIP <== DNS Response=== Real Server
UDP Payload Size in EDNS header 4096
Flags - Recursion Available=1
Client <== DNS Response=== LB
UDP Payload Size in EDNS header 1280 (Modified by ADC)
Flags - Recursion Available=0 (Modified by ADC)
Resolution
RA FLAG Alteration:
Cause: The difference in “flags” value is due to the RA (Recursion Available) Flag. The response from Server to NS has this Flag but while forwarding the response NS removes this flag, this is the default behavior of NS when deployed in DNS proxy mode i.e. as a DNS LB.
Solution: If Load Balancing DNS Servers which are RA capable and you want to advertise the RA flag to clients then set the “Recursion Available” option on the DNS LB to YES
UDP Payload Size Header Alteration
Cause: UDP payload size value is a way to indicate to requestor / responder the maximum supported payload size in a single DNS Request / Response. On older builds, max supported DNS packet size on NetScaler in DNS proxy mode is limited to 1280, so NS changes this value on both directions.
Solution: Jumbo Frame support for DNS is added in 12.1.49.xx, new option added in DNS Parameters to increase it to 4096
https://docs.citrix.com/en-us/citrix-adc/12-1/dns/jumbo-frames-support-for-dns-to-handle-responses-of-large-sizes.html
Cause: The difference in “flags” value is due to the RA (Recursion Available) Flag. The response from Server to NS has this Flag but while forwarding the response NS removes this flag, this is the default behavior of NS when deployed in DNS proxy mode i.e. as a DNS LB.
UDP Payload Size Header Alteration
Cause: UDP payload size value is a way to indicate to requestor / responder the maximum supported payload size in a single DNS Request / Response. On older builds, max supported DNS packet size on NetScaler in DNS proxy mode is limited to 1280, so NS changes this value on both directions.
Cause: The difference in “flags” value is due to the RA (Recursion Available) Flag. The response from Server to NS has this Flag but while forwarding the response NS removes this flag, this is the default behavior of NS when deployed in DNS proxy mode i.e. as a DNS LB.
Solution: If Load Balancing DNS Servers which are RA capable and you want to advertise the RA flag to clients then set the “Recursion Available” option on the DNS LB to YES
UDP Payload Size Header Alteration
Cause: UDP payload size value is a way to indicate to requestor / responder the maximum supported payload size in a single DNS Request / Response. On older builds, max supported DNS packet size on NetScaler in DNS proxy mode is limited to 1280, so NS changes this value on both directions.
Solution: Jumbo Frame support for DNS is added in 12.1.49.xx, new option added in DNS Parameters to increase it to 4096
https://docs.citrix.com/en-us/citrix-adc/12-1/dns/jumbo-frames-support-for-dns-to-handle-responses-of-large-sizes.html
Problem Cause
RA FLAG Alteration:Cause: The difference in “flags” value is due to the RA (Recursion Available) Flag. The response from Server to NS has this Flag but while forwarding the response NS removes this flag, this is the default behavior of NS when deployed in DNS proxy mode i.e. as a DNS LB.
UDP Payload Size Header Alteration
Cause: UDP payload size value is a way to indicate to requestor / responder the maximum supported payload size in a single DNS Request / Response. On older builds, max supported DNS packet size on NetScaler in DNS proxy mode is limited to 1280, so NS changes this value on both directions.
Was this article helpful?
Yes
No
Powered by
