Maintained by: NLnet Labs

[Unbound-users] Maximum size of UDP responses?

Daisuke HIGASHI
Fri Mar 29 13:54:31 CET 2013


Hi Stephane,

I'm creating a patch which adds directive "max-udp-size" and a new ACL
action "allow_minimal".  You can apply this patch to Unbound-1.4.20 or
current trunk.

"max-udp-size" is almost exactly same as BIND9's.


ACL action "allow_minimal" is like "allow" but limits UDP response
size up to 512 bytes. Essentially it limits amplification rate of DNS
traffic reflection attack more aggressively.

DNS reflection attack against hosts matching ACL "allow"  is still
feasible though we have implemented IP address based authorization
(RFC5358).  "allow_minimal" could mitigate this kind of attack. You
can apply "allow_minimal" to users under attack as temporary
configuration, or to hosts which queries without EDNS0 (like most stub
resolver) as permanent configuration.

Any comments? I hope this patch would be applied to mainline.

Regards,
--
 Daisuke HIGASHI <daisuke.higashi at gmail.com>

2013/3/29 Stephane Bortzmeyer <bortzmeyer at nic.fr>:
> I would like to experiment with lower maximum UDP response sizes. With
> BIND, I would set max-udp-size. I do not find the equivalent for
> Unbound.
>
> edns-buffer-size: it's what is advertised to the authoritative
> servers, I would like a different values for the answers to the
> clients.
>
> msg-buffer-size: it's for TCP as well, I would like something for UDP
> only.
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound-maxudp-allowmininal.patch
Type: application/octet-stream
Size: 8249 bytes
Desc: not available
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130329/64cc5a4a/attachment.obj>