From d69f875261341f0cb44bf673e067576261393157 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 19 Jan 2023 14:16:17 +0100 Subject: [PATCH] - Set max-udp-size default to 1232. This is the same default value as the default value for edns-buffer-size. It restricts client edns buffer size choices, and makes unbound behave similar to other DNS resolvers. The new choice, down from 4096 means it is harder to get large responses from Unbound. Thanks to Xiang Li, from NISL Lab, Tsinghua University. --- doc/Changelog | 8 ++++++++ doc/example.conf.in | 4 ++-- doc/unbound.conf.5.in | 3 ++- util/config_file.c | 2 +- 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 4fd636e36..6ba6ead03 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,11 @@ +19 January 2023: Wouter + - Set max-udp-size default to 1232. This is the same default value as + the default value for edns-buffer-size. It restricts client edns + buffer size choices, and makes unbound behave similar to other DNS + resolvers. The new choice, down from 4096 means it is harder to get + large responses from Unbound. Thanks to Xiang Li, from NISL Lab, + Tsinghua University. + 18 January 2023: Wouter - Fix not following cleared RD flags potentially enables amplification DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab, diff --git a/doc/example.conf.in b/doc/example.conf.in index 47c3c4891..1e74f7029 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -143,8 +143,8 @@ server: # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). - # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. - # max-udp-size: 4096 + # Suggested values are 512 to 4096. Default is 1232. 65536 disables it. + # max-udp-size: 1232 # max memory to use for stream(tcp and tls) waiting result buffers. # stream-wait-size: 4m diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 572ebc34f..aaf900a8c 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -233,7 +233,8 @@ number). .B max\-udp\-size: \fI Maximum UDP response size (not applied to TCP response). 65536 disables the udp response size maximum, and uses the choice from the client, always. -Suggested values are 512 to 4096. Default is 4096. +Suggested values are 512 to 4096. Default is 1232. The default value is the +same as the default for edns\-buffer\-size. .TP .B stream\-wait\-size: \fI Number of bytes size maximum to use for waiting stream buffers. Default is diff --git a/util/config_file.c b/util/config_file.c index e3a770537..843bec2fa 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -300,7 +300,7 @@ config_create(void) cfg->minimal_responses = 1; cfg->rrset_roundrobin = 1; cfg->unknown_server_time_limit = 376; - cfg->max_udp_size = 4096; + cfg->max_udp_size = 1232; /* value taken from edns_buffer_size */ if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key"))) goto error_exit; if(!(cfg->server_cert_file = strdup(RUN_DIR"/unbound_server.pem")))