adopt any-to-tcp feature to the recursor. Based on a patch by Winfrie…

…d Angele. Closes PowerDNS#836
mind04 · Nov 5, 2013 · 2f32f54 · 2f32f54
1 parent 600cad9
commit 2f32f54
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml
@@ -14109,6 +14109,15 @@ sql> insert into domainmetadata (domain_id, kind, content) values (6, 'TSIG-ALLO
 	      </para>
 	    </listitem>
 	  </varlistentry>
+          <varlistentry>
+            <term>any-to-tcp | any-to-tcp=yes | any-to-tcp=no</term>
+            <listitem>
+              <para>
+                Answer questions for the ANY type on UDP with a truncated packet that refers the
+                remote server to TCP. Useful for mitigating ANY reflection attacks. Defaults to off.
+              </para>
+            </listitem>
+          </varlistentry>
 	  <varlistentry>
 	    <term>dont-query</term>
 	    <listitem>

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
@@ -75,6 +75,7 @@ __thread unsigned int t_id;
 unsigned int g_maxTCPPerClient;
 unsigned int g_networkTimeoutMsec;
 bool g_logCommonErrors;
+bool g_anyToTcp;
 __thread shared_ptr<RecursorLua>* t_pdl;
 __thread RemoteKeeper* t_remotes;
 __thread shared_ptr<Regex>* t_traceRegex;
@@ -512,6 +513,11 @@ void startDoResolve(void *p)
     pw.getHeader()->id=dc->d_mdp.d_header.id;
     pw.getHeader()->rd=dc->d_mdp.d_header.rd;
 
+    if(dc->d_mdp.d_qtype==QType::ANY && !dc->d_tcp && g_anyToTcp) {
+      pw.getHeader()->tc=1;
+      goto sendit;
+    }
+
     SyncRes sr(dc->d_now);
     bool tracedQuery=false; // we could consider letting Lua know about this too
     if(t_traceRegex->get() && (*t_traceRegex)->match(dc->d_mdp.d_qname)) {
@@ -1779,6 +1785,8 @@ int serviceMain(int argc, char*argv[])
 
 
   g_logCommonErrors=::arg().mustDo("log-common-errors");
+
+  g_anyToTcp = ::arg().mustDo("any-to-tcp");
 
   makeUDPServerSockets();
   makeTCPServerSockets();
@@ -2053,6 +2061,7 @@ int main(int argc, char **argv)
     ::arg().setSwitch( "disable-edns", "Disable EDNS - EXPERIMENTAL, LEAVE DISABLED" )= ""; 
     ::arg().setSwitch( "disable-packetcache", "Disable packetcache" )= "no"; 
     ::arg().setSwitch( "pdns-distributes-queries", "If PowerDNS itself should distribute queries over threads (EXPERIMENTAL)")="no";
+    ::arg().setSwitch( "any-to-tcp","Answer ANY queries with tc=1, shunting to TCP" )="no";
     ::arg().set("include-dir","Include *.conf files from this directory")="";
 
     ::arg().setCmd("help","Provide a helpful message");