From e1229e375ff16481451f4dce139a4e1a11ca7a07 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 20 Feb 2024 15:29:34 +0100 Subject: [PATCH] Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage (#1010) * Mention REFUSED with TC with unmatched allow_cookie acl in manpage Also moved the part about bypassing ip-ratelimit to the ip-ratelimit description as it will be bypassed with a valid DNS-Cookie regardless of the allow_cookie acl. * Apply suggestions from code review * Update doc/unbound.conf.5.in * DNS-Cookies should bypass ip-ratelimit setting --- daemon/worker.c | 13 +++---------- doc/unbound.conf.5.in | 11 ++++++----- 2 files changed, 9 insertions(+), 15 deletions(-) diff --git a/daemon/worker.c b/daemon/worker.c index aeadf32d4..b9ec7544b 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -1327,15 +1327,6 @@ deny_refuse_non_local(struct comm_point* c, enum acl_access acl, worker, repinfo, acladdr, ede, check_result); } -/* Returns 1 if the ip rate limit check can happen before EDNS parsing, - * else 0 */ -static int -pre_edns_ip_ratelimit_check(enum acl_access acl) -{ - if(acl == acl_allow_cookie) return 0; - return 1; -} - /* Check if the query is blocked by source IP rate limiting. * Returns 1 if it passes the check, 0 otherwise. */ static int @@ -1499,7 +1490,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error, } worker->stats.num_queries++; - pre_edns_ip_ratelimit = pre_edns_ip_ratelimit_check(acl); + pre_edns_ip_ratelimit = !worker->env.cfg->do_answer_cookie + || sldns_buffer_limit(c->buffer) < LDNS_HEADER_SIZE + || LDNS_ARCOUNT(sldns_buffer_begin(c->buffer)) == 0; /* If the IP rate limiting check needs extra EDNS information (e.g., * DNS Cookies) postpone the check until after EDNS is parsed. */ diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 837e512fe..84eddd941 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -744,7 +744,7 @@ the cache contents (for malicious acts). However, nonrecursive queries can also be a valuable debugging tool (when you want to examine the cache contents). In that case use \fIallow_snoop\fR for your administration host. .IP -The \fIallow_cookie\fR action allows access to UDP queries that contain a +The \fIallow_cookie\fR action allows access only to UDP queries that contain a valid DNS Cookie as specified in RFC 7873 and RFC 9018, when the \fBanswer\-cookie\fR option is enabled. UDP queries containing only a DNS Client Cookie and no Server Cookie, or an @@ -753,10 +753,8 @@ generated DNS Cookie, allowing clients to retry with that DNS Cookie. The \fIallow_cookie\fR action will also accept requests over stateful transports, regardless of the presence of an DNS Cookie and regardless of the \fBanswer\-cookie\fR setting. -If \fBip\-ratelimit\fR is used, clients with a valid DNS Cookie will bypass the -ratelimit. -If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR -can be used instead. +UDP queries without a DNS Cookie receive REFUSED responses with the TC flag set, +that may trigger fall back to TCP for those clients. .IP By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS @@ -1850,6 +1848,9 @@ The ratelimit is in queries per second that are allowed. More queries are completely dropped and will not receive a reply, SERVFAIL or otherwise. IP ratelimiting happens before looking in the cache. This may be useful for mitigating amplification attacks. +Clients with a valid DNS Cookie will bypass the ratelimit. +If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR +can be used instead. Default is 0 (disabled). .TP 5 .B ip\-ratelimit\-cookie: \fI