Permalink
Browse files

implement minimum-ttl-override setting and rec_constrol set-minimum-t…

…tl for dealing with DoS
  • Loading branch information...
1 parent 5c889cf commit aadceba89c87c60b76a6939a4a113d108c2fe3df @ahupowerdns ahupowerdns committed Apr 18, 2014
Showing with 26 additions and 0 deletions.
  1. +3 −0 pdns/pdns_recursor.cc
  2. +15 −0 pdns/rec_channel_rec.cc
  3. +7 −0 pdns/syncres.cc
  4. +1 −0 pdns/syncres.hh
@@ -1793,6 +1793,8 @@ int serviceMain(int argc, char*argv[])
g_quiet=false;
}
+ SyncRes::s_minimumTTL = ::arg().asNum("minimum-ttl-override");
+
checkLinuxIPv6Limits();
try {
vector<string> addrs;
@@ -2153,6 +2155,7 @@ int main(int argc, char **argv)
::arg().setSwitch( "pdns-distributes-queries", "If PowerDNS itself should distribute queries over threads (EXPERIMENTAL)")="no";
::arg().setSwitch( "any-to-tcp","Answer ANY queries with tc=1, shunting to TCP" )="no";
::arg().set("udp-truncation-threshold", "Maximum UDP response size before we truncate")="1680";
+ ::arg().set("minimum-ttl-override", "Set under adverse conditions, a minimum TTL")="0";
::arg().set("include-dir","Include *.conf files from this directory")="";
@@ -246,6 +246,16 @@ string doWipeCache(T begin, T end)
return "wiped "+lexical_cast<string>(count)+" records, "+lexical_cast<string>(countNeg)+" negative records\n";
}
+template<typename T>
+string setMinimumTTL(T begin, T end)
+{
+ if(end-begin != 1)
+ return "Need to supply new minimum TTL number\n";
+ SyncRes::s_minimumTTL = atoi(begin->c_str());
+ return "New minimum TTL: " + lexical_cast<string>(SyncRes::s_minimumTTL) + "\n";
+}
+
+
static uint64_t getSysTimeMsec()
{
struct rusage ru;
@@ -620,6 +630,7 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP
"reload-acls reload ACLS\n"
"reload-lua-script [filename] (re)load Lua script\n"
"reload-zones reload all auth and forward zones\n"
+"set-minimum-ttl value set mininum-ttl-override\n"
"trace-regex regex emit resolution trace for matching queries\n"
"top-remotes show top remotes\n"
"unload-lua-script unload Lua script\n"
@@ -699,6 +710,10 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP
if(cmd=="reload-zones") {
return reloadAuthAndForwards();
}
+
+ if(cmd=="set-minimum-ttl") {
+ return setMinimumTTL(begin, end);
+ }
if(cmd=="get-qtypelist") {
return g_rs.getQTypeReport();
View
@@ -59,6 +59,7 @@ unsigned int SyncRes::s_throttledqueries;
unsigned int SyncRes::s_dontqueries;
unsigned int SyncRes::s_nodelegated;
unsigned int SyncRes::s_unreachables;
+unsigned int SyncRes::s_minimumTTL;
bool SyncRes::s_doIPv6;
bool SyncRes::s_nopacketcache;
@@ -1005,6 +1006,12 @@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth,
t_sstorage->nsSpeeds[*tns].submit(*remoteIP, lwr.d_usec, &d_now);
}
+ if(s_minimumTTL) {
+ for(LWResult::res_t::iterator i=lwr.d_result.begin();i != lwr.d_result.end();++i) {
+ i->ttl = max(i->ttl, s_minimumTTL);
+ }
+ }
+
typedef map<pair<string, QType>, set<DNSResourceRecord>, TCacheComp > tcache_t;
tcache_t tcache;
View
@@ -289,6 +289,7 @@ public:
static unsigned int s_tcpoutqueries;
static unsigned int s_nodelegated;
static unsigned int s_unreachables;
+ static unsigned int s_minimumTTL;
static bool s_doAAAAAdditionalProcessing;
static bool s_doAdditionalProcessing;
static bool s_doIPv6;

0 comments on commit aadceba

Please sign in to comment.