DNS, the Recent Apple iOS update and the Future
A few weeks back it came to our attention that some of our customers were struggling to download the recent update to their Apple iOS devices. All initial diagnostic tests could find no errors or problems. We then became aware of the discussions on various fora that if the user changed their DNS resolver to either OpenDNS or Google DNS that it solved the issue. Again, we tested our DNS resolvers and they could successfully look up the relevant record.
However it was in doing this test that we spotted what the cause was – the packet size! When performing a query for appldnld.apple.com, one of the diagnostic team saw that the size of the returned packet was well over 512 bytes:
;; MSG SIZE rcvd: 729
However Google and OpenDNS were returning much smaller payloads, e.g. from Google:
;; MSG SIZE rcvd: 172
At Zen we use BIND9 for our DNS resolvers in a standard configuration. In this configuration the server would also return the “Authority” and “Additional” data sections in the DNS reply, along with the “Answer” section. It is the latter that is the important part of the reply, whereas the former two are optional but useful when it comes to some diagnostics. Since the optional data may be obtained if required we took the decision to configure the DNS resolvers for “minimal-responses”. This reduced the packet size and fixed the issue.
Now, the question that needs to be asked is “Why did packets greater than 512 bytes in size cause a problem?” The issue here lies with how DNS was implemented originally, and how it needs to behave in a modern Internet.
In the original specification of the DNS protocol, defined in RFC 1035 (Request For Comments) back 1987, was that no UDP packet should exceed 512 bytes in size – the vast majority of DNS lookups are made via the UDP protocol. Should the packet size exceed 512 bytes, then the process should fall back to using TCP instead. It is this fall back mechanism that failed with regard to the iOS update. Most users will be operating their broadband router in its default configuration in which it forwards their DNS requests for them, eg :
PC <–DNS–> Router <–DNS–> Zen <–DNS –> World
Many xDSL routers don’t implement the TCP side of DNS when they can’t handle large packets, which is something I’ll come back to later. So, when Zen sent back a large packet the router failed to understand it, and also failed to try TCP, resulting in the iOS devices not being able to look up where to obtain their downloads. By changing the router, or even the device, to use Google or OpenDNS resulted in successful lookups.
This problem of large packets was considered many years ago. Back in 1999 RFC 2671 was put forward, suggesting a mechanism for larger packets to be handled, but still using UDP. This mechanism has been accepted, and implemented (to some extent), and is known as EDNS.
EDNS is important in a far wider sense these days, and that is in the realm of DNSSEC. This is the digital “signing” of DNS records. This is relevant to security applications, for example how do you know that the IP address you’ve received for www.your.bank.com is actually that bank and not someone pretending to be it? Consider DNSSEC as a similar mechanism to HTTPS in the browser realm – it provides a trust mechanism. The downside to DNSSEC is it produces much bigger packets – bigger than even that appldnld.apple.com one.
At Zen we made sure that all our infrastructure was capable of handling the larger DNS packet sizes used for DNSSEC, and other EDNS payloads, back at the start of 2010 when the DNS Root servers were to be signed. Unfortunately we’re still bound by what the broadband routers are capable of. A study from Nominet back in late 2008 showed that DNSSEC within router hardware was poorly supported. Much has changed since then, but EDNS support is still poor within consumer hardware.
We can hope that support for EDNS and the like will appear in new hardware, and firmware for older equipment as time goes by. Zen and many other bodies within the ISP realm are working with CPE manufactures to push for support for these “new” mechanisms within the Internet.
This was certainly an unusual problem to diagnose, and we certainly thank our sharp eyed engineer performing the diagnosis for spotting the problem 
While I don’t have any Apple products and therefore haven’t suffered from this problem I found your response really informative about the underlying issues with DNS; it must have been a challenge to solve.
However, what I find even more impressive is your correct usage of the plural of “forum”, not forums, but fora. Well done, the grammar Police will be over the moon
It certainly had a few heads scratching whilst we looked into it. The problem was, of course, obscured by our access being direct and not via any CPE hardware. Since we had ensured that our network was capable of handling DNSSEC we had looked at the issues relating to CPE and it will have been this latent knowledge of the 512 byte limit that came to the fore.
As to the Grammar Police, I was introduced to this carton today, which you may also like:
http://themetapicture.com/comforting-a-grammar-obsessed-person/
Love the picture
Good that you guys post this level of detail. But really shouldn’t a good ISP keep all this deep geek stuff away from it’s customers. We don’t care how it works as long as it does! Rather than it not and a complicated explanation!
Not at all! Things would be far better if people took an interest in what goes on behind the scenes!
Thank you very much for the in-depth description
Hi James,
Oh, I agree that it’s better that a service works rather than a non-functioning service and a detailed description of why it’s not. The reason I went into a fair amount of detail is that I know there are customers out there that will have an interest – I’ve always been detailed on the various fora that I also post to.
The main theme of this post was to highlight that it was no particular problem, but a confluence of events that lead to the problem occurring and that it may appear again with other DNS queries, such as those related to DNSSEC.
I’ll apologise in advance, but because of the area I work in and have been asked to blog about, there is likely to be a fair amount of detail in my posts