Hi All,
There was a presentation about fragmentation attacks against DNS:
https://indico.dns-oarc.net/event/31/contributions/692/attachments/660/1115/fujiwara-5.pdf
DNS Flag day 2020 recommends 1232 to avoid fragmentation in most
common setups.
Index: src/etc/nsd.conf
===================================================================
RCS file: /cvs/src/etc/nsd.conf,v
retrieving revision 1.13
diff -u -p -r1.13 nsd.conf
--- src/etc/nsd.conf 16 Aug 2018 17:59:12 -0000 1.13
+++ src/etc/nsd.conf 17 Sep 2019 15:43:48 -0000
@@ -17,6 +17,11 @@ server:
## on by default
# refuse-any: yes
+## respond with a small EDNS buffer size to avoid
+## fragmentation attacks leading to spoofed DNS packets.
+# ipv4-edns-size: 1232
+# ipv6-edns-size: 1232
+
remote-control:
control-enable: yes
control-interface: /var/run/nsd.sock
Index: src/etc/unbound.conf
===================================================================
RCS file: /cvs/src/etc/unbound.conf,v
retrieving revision 1.17
diff -u -p -r1.17 unbound.conf
--- src/etc/unbound.conf 25 Aug 2019 15:50:21 -0000 1.17
+++ src/etc/unbound.conf 17 Sep 2019 15:43:32 -0000
@@ -39,9 +39,9 @@ server:
# UDP EDNS reassembly buffer advertised to peers. Default 4096.
# May need lowering on broken networks with fragmentation/MTU issues,
- # particularly if validating DNSSEC.
- #
- #edns-buffer-size: 1480
+ # particularly if validating DNSSEC.
+ # A value around 1232 is recommended to avoid fragmentation attacks.
+ #edns-buffer-size: 1232
# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
