Why DNS through UDP has a 512 bytes limit?

Solution 1:

The 512 byte payload guarantees that DNS packets can be reassembled if fragmented in transit. Also, generally speaking there's less chance of smaller packets being randomly dropped.

The IPv4 standard specifies that every host must be able to reassemble packets of 576 bytes or less. With an IPv4 header (20 bytes, though it can be as high as 60 bytes w/ options) and an 8 byte UDP header, a DNS packet with a 512 byte payload will be smaller than 576 bytes.

As @RyanRies says: DNS can use TCP for larger payloads and for zone transfers and DNSSEC. There's a lot more latency when TCP comes into play because, unlike UDP, there's a handshake between the client and server before any data begins to flow.

Solution 2:

Modern DNS is not actually limited to 512 bytes payload for UDP anymore.

With EDNS0 in use a larger payload size can be specified, which is also commonly the case for DNSSEC-aware clients.

The support for larger payloads over UDP has been a double-edged sword, however, it is in part the reason why using nameservers for amplification attacks has become more popular as you can achieve better amplification if the attacker uses a query that gets a large response.

See rfc2671 for the nitty-gritty details of EDNS0


Solution 3:

DNS operations for example, queries, and zone maintenance operations by default use port 53. For performance reasons, queries use the UDP protocol with a block-size limit of 512 bytes. TCP can be optionally negotiated on a transaction-by-transaction basis for query operations, but due to the performance overhead incurred with TCP, this is essentially a theoretical capability. Historically, exceeding the 512-byte response size limit was typically avoided at all costs, and indeed the limit of 13 IPv4 root-servers was the maximum that could be returned in a single 512-byte UDP transaction.

Ron Aitchison - Pro DNS and BIND 10 - 2011