Ignore Path MTU Discovery on UDP server socket #7410
Conversation
| #endif /* IP_PMTUDISC_OMIT */ | ||
|
|
||
| /* IP_PMTUDISC_DONT disables Path MTU discovery */ | ||
| SSetsockopt(sockfd, IPPROTO_IP, IP_MTU_DISCOVER, IP_PMTUDISC_DONT); |
There was a problem hiding this comment.
We should check that IP_MTUDISC_DONT is defined. Note that unbound sets the don't fragment flag on systems that don't have IP_MTUDISC_DONT: https://github.com/NLnetLabs/unbound/blob/master/services/listen_dnsport.c#L571
There was a problem hiding this comment.
Bind is doing the same: https://gitlab.isc.org/isc-projects/bind9/blob/master/lib/isc/unix/socket.c#L2396
There was a problem hiding this comment.
Added the missing check for IP_MTUDISC_DONT. I'm still undecided about setting DF=1.
|
As a datapoint, Knot decided against doing this: https://gitlab.labs.nic.cz/knot/knot-dns/issues/467 |
|
Knot decided against it in 2016 when fragmentation attacks weren't in vogue, though. |
|
Rebased to fix a conflict. |
|
As pointed out by @hdais |
It might help prevent Path MTU poisoning attacks.
|
Move this PR into the rec-4.2.0-beta1 milestone. Now is the time to speak if you are against this change ;-) |
|
Hi Remi, That change seems to be what made DNSCrypt servers running As you know since you implemented the protocol, DNSCrypt requires questions sent over UDP to be as large as responses, using padding. Blocking fragmented questions prevents large responses from being received. Ignoring fragments in responses from authoritative servers is fine, but even with unencrypted queries, I'm not sure that there is any value in dropping fragments on the server socket. A fragment attack would just allow the question to be modified, but a stub resolver would ignore a response for a different query. |
|
Hi Frank, Thanks a lot for reporting this! I have to admit I had completely forgotten that propriety of |
|
Thank you so much Remi! /cc @welwood08 |
Short description
It might help prevent Path MTU poisoning attacks.
Untested, don't merge it yet!
Checklist
I have: