MX Record Theories

Mark Andrews marka at
Thu May 28 18:15:46 CDT 2009

In message <c3de0a330905280804t56ca87dapd94281399202a48 at>, Bobby Mac writes:
> Not entirely on subject but....  I thought that allowing DNS queries to
> occur via TCP is mission critical for simple mail routing.  We ran across
> this back in the day at @Home Network.  Firewall rules were changed to not
> allow port 53 TCP.  This severely affected sending mail to large
> distribution lists.  Here is what we found and forgive me if I don't go into
> too much detail as it was almost 10 years a go.

	As I said, sites just don't do this as it causes serious
	problems.  Sites that disable TCP/53 outbound just end up
	re-enabling it.  Nameservers and stub resolvers automatically
	retry with TCP and the client applications just don't get
	answers returned when you start blocking TCP/53 outbound.
	It doesn't take long for said stupidity to be reversed.
> If you add enough recipients to an email, each domain within the send line
> needs to have an associated MX record.  DNS by default starts with UDP which
> has a limit to the datagram size (64bit). A flag is placed in the
> header which then requires the request to be sent via TCP (160bit V4).  Now
> that single query can be split up into many different packets providing that
> the request is more than the 160 bit and obviously IPV6 offers even more
> information contained in a single packet.

	The number of recipients has no impact on the size of the
	DNS responses.  It will have a impact on the number of DNS
	queries made iff the receipents are in multiple mail domains.

> -BobbyJim
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the NANOG mailing list