Permalink
Browse files

adopt any-to-tcp feature to the recursor. Based on a patch by Winfrie…

…d Angele. Closes #836
  • Loading branch information...
1 parent 88ba171 commit e661a20b49162eb2ca1ecd157216beaa6450fc49 @Habbie Habbie committed Nov 5, 2013
Showing with 18 additions and 0 deletions.
  1. +9 −0 pdns/docs/pdns.xml
  2. +9 −0 pdns/pdns_recursor.cc
View
@@ -14109,6 +14109,15 @@ sql> insert into domainmetadata (domain_id, kind, content) values (6, 'TSIG-ALLO
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>any-to-tcp | any-to-tcp=yes | any-to-tcp=no</term>
+ <listitem>
+ <para>
+ Answer questions for the ANY type on UDP with a truncated packet that refers the
+ remote server to TCP. Useful for mitigating ANY reflection attacks. Defaults to off.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>dont-query</term>
<listitem>
@@ -75,6 +75,7 @@ __thread unsigned int t_id;
unsigned int g_maxTCPPerClient;
unsigned int g_networkTimeoutMsec;
bool g_logCommonErrors;
+bool g_anyToTcp;
__thread shared_ptr<RecursorLua>* t_pdl;
__thread RemoteKeeper* t_remotes;
__thread shared_ptr<Regex>* t_traceRegex;
@@ -512,6 +513,11 @@ void startDoResolve(void *p)
pw.getHeader()->id=dc->d_mdp.d_header.id;
pw.getHeader()->rd=dc->d_mdp.d_header.rd;
+ if(dc->d_mdp.d_qtype==QType::ANY && !dc->d_tcp && g_anyToTcp) {
+ pw.getHeader()->tc=1;
+ goto sendit;
+ }
+
SyncRes sr(dc->d_now);
bool tracedQuery=false; // we could consider letting Lua know about this too
if(t_traceRegex->get() && (*t_traceRegex)->match(dc->d_mdp.d_qname)) {
@@ -1779,6 +1785,8 @@ int serviceMain(int argc, char*argv[])
g_logCommonErrors=::arg().mustDo("log-common-errors");
+
+ g_anyToTcp = ::arg().mustDo("any-to-tcp");
makeUDPServerSockets();
makeTCPServerSockets();
@@ -2053,6 +2061,7 @@ int main(int argc, char **argv)
::arg().setSwitch( "disable-edns", "Disable EDNS - EXPERIMENTAL, LEAVE DISABLED" )= "";
::arg().setSwitch( "disable-packetcache", "Disable packetcache" )= "no";
::arg().setSwitch( "pdns-distributes-queries", "If PowerDNS itself should distribute queries over threads (EXPERIMENTAL)")="no";
+ ::arg().setSwitch( "any-to-tcp","Answer ANY queries with tc=1, shunting to TCP" )="no";
::arg().set("include-dir","Include *.conf files from this directory")="";
::arg().setCmd("help","Provide a helpful message");

0 comments on commit e661a20

Please sign in to comment.