On 2019/09/17 20:19, logan wrote: > Hi All, > > There was a presentation about fragmentation attacks against DNS: > https://indico.dns-oarc.net/event/31/contributions/692/attachments/660/1115/fujiwara-5.pdf
There's also https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01 which I find easier to read. > DNS Flag day 2020 recommends 1232 to avoid fragmentation in most > common setups. I think it's often useful to avoid fragmentation where sanely possible and it might be worth restricting max-buffer-size on that basis. (btw if we do change anything I think it should be changed in the code, e.g. EDNS_MAX_MESSAGE_LEN in nsd's configure.ac, and I think it's EDNS_ADVERTISED_SIZE in unbound's net_help.c - maybe with a note in the sample config as well, but I think many users won't pick up the change if it's only done there). But... I don't see that changing the edns max buffer size by itself helps with the frag attacks, it seems that additional countermeasures are needed to help with those, and I don't think those are something that we can generally do. For example rejecting incoming fragmented UDP/53 would need to be before PF reassembly...
