Maintained by: NLnet Labs

[Unbound-users] Maximum size of UDP responses?

Daisuke HIGASHI
Wed Apr 10 13:42:58 CEST 2013


Hi Wouter, thanks for your comments.

> One thing I am not sure about is that
> allow_minimal, with 512byte responses, does not allow the client to
> use dnssec validation, because 512 is often too small to do so.  Or do
> you want it to use TCP as it receives +TC replies?

  Yes it will be +TC replies and requester will retry query via TCP.
For reason you said (512bytes is too small for DNSSEC replies) we
should not apply allow_minimal to all normal and legitimate users. But
IMHO it's useful under some circumstances and worth some codes added.

  In addition to mitigating amplification attack against legitimate
users, another use case of allow_minimal is first step to close
open-resolver. According to my experience first step to implement IP
address authorization (RFC5358) to open-resolver is investigating who
use the resolver and asking them to use appropriate resolver.  This
work often takes long time especially in large ISP environment. To
mitigate DNS amplification attack (by this resolver) during this work
we could immediately apply "allow_minimal" as temporary configuration
as below.

# Step.0: open-resolver's ACL configuration.
access-control: 0.0.0.0/0 allow
-----
# Step1. investigating who use this resolver…
access-control: 0.0.0.0/0 allow_minimal
# provide "full service" to definitely legitimate users.
access-control: 192.168.0.0/24 allow
access-control: 203.0.113.0/24 allow
…
-----
# Step2. Congratulations! We've identified all IPs of legitimate users
access-control: 192.0.2.0/24 allow
access-control: 203.0.113.0/24 allow
access-control: 192.168.0.0/24 allow
# End of ACL

  The value 512 (bytes) is current optimal value for these purpose
since very few stub resolvers implement EDNS0/DNSSEC and many DNS
administrators keeps DNS response message size up to 512 bytes to
avoid TCP fallback.

Regards,
-- 
Daisuke HIGASHI <daisuke.higashi at gmail.com>