diff --git a/doc/Changelog b/doc/Changelog index 4fd636e36..6ba6ead03 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,11 @@ +19 January 2023: Wouter + - Set max-udp-size default to 1232. This is the same default value as + the default value for edns-buffer-size. It restricts client edns + buffer size choices, and makes unbound behave similar to other DNS + resolvers. The new choice, down from 4096 means it is harder to get + large responses from Unbound. Thanks to Xiang Li, from NISL Lab, + Tsinghua University. + 18 January 2023: Wouter - Fix not following cleared RD flags potentially enables amplification DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab, diff --git a/doc/example.conf.in b/doc/example.conf.in index 47c3c4891..1e74f7029 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -143,8 +143,8 @@ server: # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). - # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. - # max-udp-size: 4096 + # Suggested values are 512 to 4096. Default is 1232. 65536 disables it. + # max-udp-size: 1232 # max memory to use for stream(tcp and tls) waiting result buffers. # stream-wait-size: 4m diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 572ebc34f..aaf900a8c 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -233,7 +233,8 @@ number). .B max\-udp\-size: \fI Maximum UDP response size (not applied to TCP response). 65536 disables the udp response size maximum, and uses the choice from the client, always. -Suggested values are 512 to 4096. Default is 4096. +Suggested values are 512 to 4096. Default is 1232. The default value is the +same as the default for edns\-buffer\-size. .TP .B stream\-wait\-size: \fI Number of bytes size maximum to use for waiting stream buffers. Default is diff --git a/util/config_file.c b/util/config_file.c index e3a770537..843bec2fa 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -300,7 +300,7 @@ config_create(void) cfg->minimal_responses = 1; cfg->rrset_roundrobin = 1; cfg->unknown_server_time_limit = 376; - cfg->max_udp_size = 4096; + cfg->max_udp_size = 1232; /* value taken from edns_buffer_size */ if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key"))) goto error_exit; if(!(cfg->server_cert_file = strdup(RUN_DIR"/unbound_server.pem")))