Permalink
Browse files

any-to-tcp now feature complete & documented

  • Loading branch information...
1 parent abc8f3f commit 357f6a75e6632efcdd00ef7cb1ee812d64a9c54a @ahupowerdns ahupowerdns committed May 21, 2013
Showing with 22 additions and 16 deletions.
  1. +6 −5 pdns/common_startup.cc
  2. +2 −2 pdns/common_startup.hh
  3. +5 −0 pdns/docs/pdns.xml
  4. +4 −9 pdns/packethandler.cc
  5. +5 −0 pdns/pdns.conf-dist
@@ -16,7 +16,7 @@
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include "common_startup.hh"
-
+bool g_anyToTcp;
typedef Distributor<DNSPacket,DNSPacket,PacketHandler> DNSDistributor;
@@ -30,7 +30,7 @@ UDPNameserver *N;
int avg_latency;
TCPNameserver *TN;
-bool g_anyToTCP;
+
ArgvMap &arg()
{
@@ -102,6 +102,7 @@ void declareArguments()
::arg().setSwitch("webserver","Start a webserver for monitoring")="no";
::arg().setSwitch("webserver-print-arguments","If the webserver should print arguments")="no";
::arg().setSwitch("edns-subnet-processing","If we should act on EDNS Subnet options")="no";
+ ::arg().setSwitch("any-to-tcp","Answer ANY queries with tc=1, shunting to TCP")="no";
::arg().set("edns-subnet-option-number","EDNS option number to use")="20730";
::arg().set("webserver-address","IP Address of webserver to listen on")="127.0.0.1";
::arg().set("webserver-port","Port of webserver to listen on")="8081";
@@ -331,12 +332,11 @@ void mainthread()
int newuid=0;
if(!::arg()["setuid"].empty())
newuid=Utility::makeUidNumeric(::arg()["setuid"]);
-
+ g_anyToTcp = ::arg().mustDo("any-to-tcp");
DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing");
-
+
#ifndef WIN32
-
if(!::arg()["chroot"].empty()) {
if(::arg().mustDo("master") || ::arg().mustDo("slave"))
gethostbyname("a.root-servers.net"); // this forces all lookup libraries to be loaded
@@ -348,6 +348,7 @@ void mainthread()
L<<Logger::Error<<"Chrooted to '"<<::arg()["chroot"]<<"'"<<endl;
}
#endif
+
StatWebServer sws;
Utility::dropPrivs(newuid, newgid);
@@ -43,12 +43,12 @@ extern CommunicatorClass Communicator;
extern UDPNameserver *N;
extern int avg_latency;
extern TCPNameserver *TN;
-
-
extern ArgvMap & arg( void );
extern void declareArguments();
extern void declareStats();
extern void mainthread();
extern int isGuarded( char ** );
+extern bool g_anyToTcp;
+
#endif // COMMON_STARTUP_HH
View
@@ -14547,6 +14547,11 @@ To enable a Lua script for a particular slave zone, determine the domain_id for
recursion from everywhere. Example: <command>allow-recursion=192.168.0.0/24, 10.0.0.0/8, 1.2.3.4</command>.
</para>
</listitem></varlistentry>
+ <varlistentry><term>any-to-tcp | any-to-tcp=yes | any-to-tcp=no</term>
+ <listitem><para>
+ Answer questions for the ANY type on UDP with a truncated packet that refers the
+ remote server to TCP. Useful for mitigating ANY reflection attacks. Defaults to off. Available since 3.3.
+ </para></listitem></varlistentry>
<varlistentry><term>cache-ttl=...</term>
<listitem><para>
Seconds to store packets in the PacketCache. See <xref linkend="packetcache"/>.
View
@@ -38,17 +38,13 @@
#include "communicator.hh"
#include "dnsproxy.hh"
#include "version.hh"
+#include "common_startup.hh"
#if 0
#undef DLOG
#define DLOG(x) x
#endif
-
-extern StatBag S;
-extern PacketCache PC;
-extern CommunicatorClass Communicator;
-extern DNSProxy *DP;
-
+
AtomicCounter PacketHandler::s_count;
extern string s_programname;
@@ -1165,7 +1161,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
return r;
}
- L<<Logger::Warning<<"Query for '"<<p->qdomain<<"' "<<p->qtype.getName()<<" from "<<p->getRemote()<<endl;
+ // L<<Logger::Warning<<"Query for '"<<p->qdomain<<"' "<<p->qtype.getName()<<" from "<<p->getRemote()<< " (tcp="<<p->d_tcp<<")"<<endl;
r->d.ra = (p->d.rd && d_doRecursion && DP->recurseFor(p)); // make sure we set ra if rd was set, and we'll do it
@@ -1185,8 +1181,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
if(doVersionRequest(p,r,target)) // catch version.bind requests
goto sendit;
- if(p->qtype.getCode() == QType::ANY) {
- cerr<<"Shunted it to TCP.."<<endl;
+ if(p->qtype.getCode() == QType::ANY && !p->d_tcp && g_anyToTcp) {
r->d.tc = 1;
r->commitD();
return r;
View
@@ -10,6 +10,11 @@
# allow-recursion=0.0.0.0/0
#################################
+# any-to-tcp Answer ANY queries with tc=1, shunting to TCP
+#
+# any-to-tcp=no
+
+#################################
# cache-ttl Seconds to store packets in the PacketCache
#
# cache-ttl=20

0 comments on commit 357f6a7

Please sign in to comment.