I would like to experiment with lower maximum UDP response sizes. With
BIND, I would set max-udp-size. I do not find the equivalent for
Unbound.
edns-buffer-size: it's what is advertised to the authoritative
servers, I would like a different values for the answers to the
clients.
msg-buffer-size: it's for TCP as well, I would like something for UDP
only.
Hi Stephane,
I'm creating a patch which adds directive "max-udp-size" and a new ACL
action "allow_minimal". You can apply this patch to Unbound-1.4.20 or
current trunk.
"max-udp-size" is almost exactly same as BIND9's.
ACL action "allow_minimal" is like "allow" but limits UDP response
size up to 512 bytes. Essentially it limits amplification rate of DNS
traffic reflection attack more aggressively.
DNS reflection attack against hosts matching ACL "allow" is still
feasible though we have implemented IP address based authorization
(RFC5358). "allow_minimal" could mitigate this kind of attack. You
can apply "allow_minimal" to users under attack as temporary
configuration, or to hosts which queries without EDNS0 (like most stub
resolver) as permanent configuration.
Any comments? I hope this patch would be applied to mainline.
Regards,
unbound-maxudp-allowmininal.patch (8.06 KB)
a message of 199 lines which said:
"max-udp-size" is almost exactly same as BIND9's.
Very good idea. I note that NSD has two parameters for that, one for
IPv4 responses and one for IPv6 (to deal with MTU issues). I wonder if
it's worth the complexity?
ACL action "allow_minimal" is like "allow" but limits UDP response
size up to 512 bytes. Essentially it limits amplification rate of
DNS traffic reflection attack more aggressively.
Very good idea.
"max-udp-size" is almost exactly same as BIND9's.
Very good idea. I note that NSD has two parameters for that, one for
IPv4 responses and one for IPv6 (to deal with MTU issues). I wonder if
it's worth the complexity?
This patch adds delective udp-max-size-ip4 and udp-max-size-ip6
instead of udp-max-size.
It seems OK and no performance impact but I'm not sure about use of a
function "addr_is_ip6()".
Regards,
unbound-maxudpv4v6-allowmininal.patch (9.42 KB)
Hi Daisuke,
"max-udp-size" is almost exactly same as BIND9's.
Very good idea. I note that NSD has two parameters for that, one
for IPv4 responses and one for IPv6 (to deal with MTU issues). I
wonder if it's worth the complexity?This patch adds delective udp-max-size-ip4 and udp-max-size-ip6
instead of udp-max-size.It seems OK and no performance impact but I'm not sure about use of
a function "addr_is_ip6()".
Your patches are good quality. One thing I am not sure about is that
allow_minimal, with 512byte responses, does not allow the client to
use dnssec validation, because 512 is often too small to do so. Or do
you want it to use TCP as it receives +TC replies?
Also, additional configuration options are not really good; we want to
avoid code-bloat. If this is useful for many users, it could be
added, as the operational environment for DNS services changes. Is
this more of an experiment (it seems now), or a necessary feature?
Best regards,
Wouter
Hi Wouter, thanks for your comments.
One thing I am not sure about is that
allow_minimal, with 512byte responses, does not allow the client to
use dnssec validation, because 512 is often too small to do so. Or do
you want it to use TCP as it receives +TC replies?
Yes it will be +TC replies and requester will retry query via TCP.
For reason you said (512bytes is too small for DNSSEC replies) we
should not apply allow_minimal to all normal and legitimate users. But
IMHO it's useful under some circumstances and worth some codes added.
In addition to mitigating amplification attack against legitimate
users, another use case of allow_minimal is first step to close
open-resolver. According to my experience first step to implement IP
address authorization (RFC5358) to open-resolver is investigating who
use the resolver and asking them to use appropriate resolver. This
work often takes long time especially in large ISP environment. To
mitigate DNS amplification attack (by this resolver) during this work
we could immediately apply "allow_minimal" as temporary configuration
as below.
# Step.0: open-resolver's ACL configuration.
access-control: 0.0.0.0/0 allow
Hi Wouter,
Here is a patch to implement only "max-udp-size" (a revised version).
I hope this would be applied to mainline.
max-udp-size: <number>
Maximum UDP response size.
Valid values are 512 to 4096. Default is 4096.
In spite of my allow_minimal patch, Unbound should implement
max-udp-size option and defaults to 4096.
Because currently Unbound's response size has no limit and it can be
dangerous high-amplification-rate reflector if Unbound is mistakenly
configured as open-resolver. Also useful if we want to avoid IP
fragment.
Regards,
unbound-maxudpsize.patch (6.1 KB)
Hi Daisuke,