upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-02-15 16:48:05 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Set max-udp-size default to 1232. This is the same default value as

Browse source 
the default value for edns-buffer-size. It restricts client edns
  buffer size choices, and makes unbound behave similar to other DNS
  resolvers. The new choice, down from 4096 means it is harder to get
  large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
  Tsinghua University.
This commit is contained in:
W.C.A. Wijngaards 2023-01-19 14:16:17 +01:00
parent b12ab31ae3
commit d69f875261
4 changed files with 13 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
doc/Changelog
View file

@ -1,3 +1,11 @@
19 January 2023: Wouter
- Set max-udp-size default to 1232. This is the same default value as
the default value for edns-buffer-size. It restricts client edns
buffer size choices, and makes unbound behave similar to other DNS
resolvers. The new choice, down from 4096 means it is harder to get
large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
Tsinghua University.
18 January 2023: Wouter
- Fix not following cleared RD flags potentially enables amplification
DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,

4
doc/example.conf.in
View file

@ -143,8 +143,8 @@ server:
# edns-buffer-size: 1232
# Maximum UDP response size (not applied to TCP response).
# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
# max-udp-size: 4096
# Suggested values are 512 to 4096. Default is 1232. 65536 disables it.
# max-udp-size: 1232
# max memory to use for stream(tcp and tls) waiting result buffers.
# stream-wait-size: 4m

3
doc/unbound.conf.5.in
View file

@ -233,7 +233,8 @@ number).
.B max\-udp\-size: \fI<number>
Maximum UDP response size (not applied to TCP response). 65536 disables the
udp response size maximum, and uses the choice from the client, always.
Suggested values are 512 to 4096. Default is 4096.
Suggested values are 512 to 4096. Default is 1232. The default value is the
same as the default for edns\-buffer\-size.
.TP
.B stream\-wait\-size: \fI<number>
Number of bytes size maximum to use for waiting stream buffers. Default is

2
util/config_file.c
View file

@ -300,7 +300,7 @@ config_create(void)
cfg->minimal_responses = 1;
cfg->rrset_roundrobin = 1;
cfg->unknown_server_time_limit = 376;
cfg->max_udp_size = 4096;
cfg->max_udp_size = 1232; /* value taken from edns_buffer_size */
if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key")))
goto error_exit;
if(!(cfg->server_cert_file = strdup(RUN_DIR"/unbound_server.pem")))