On Tue, Sep 17, 2019 at 08:19:29PM +0400, logan wrote: > Hi All, > > There was a presentation about fragmentation attacks against DNS: > https://indico.dns-oarc.net/event/31/contributions/692/attachments/660/1115/fujiwara-5.pdf > > DNS Flag day 2020 recommends 1232 to avoid fragmentation in most > common setups. >
What is upstream's stance on this? > Index: src/etc/nsd.conf > =================================================================== > RCS file: /cvs/src/etc/nsd.conf,v > retrieving revision 1.13 > diff -u -p -r1.13 nsd.conf > --- src/etc/nsd.conf 16 Aug 2018 17:59:12 -0000 1.13 > +++ src/etc/nsd.conf 17 Sep 2019 15:43:48 -0000 > @@ -17,6 +17,11 @@ server: > ## on by default > # refuse-any: yes > > +## respond with a small EDNS buffer size to avoid > +## fragmentation attacks leading to spoofed DNS packets. > +# ipv4-edns-size: 1232 > +# ipv6-edns-size: 1232 > + > remote-control: > control-enable: yes > control-interface: /var/run/nsd.sock > > > Index: src/etc/unbound.conf > =================================================================== > RCS file: /cvs/src/etc/unbound.conf,v > retrieving revision 1.17 > diff -u -p -r1.17 unbound.conf > --- src/etc/unbound.conf 25 Aug 2019 15:50:21 -0000 1.17 > +++ src/etc/unbound.conf 17 Sep 2019 15:43:32 -0000 > @@ -39,9 +39,9 @@ server: > > # UDP EDNS reassembly buffer advertised to peers. Default 4096. > # May need lowering on broken networks with fragmentation/MTU issues, > - # particularly if validating DNSSEC. > - # > - #edns-buffer-size: 1480 > + # particularly if validating DNSSEC. > + # A value around 1232 is recommended to avoid fragmentation attacks. > + #edns-buffer-size: 1232 > > # Use TCP for "forward-zone" requests. Useful if you are making > # DNS requests over an SSH port forwarding. > -- I'm not entirely sure you are real.
