I wrote an experimental "avoid-fragmentation" patch for NSD (as per section 3.1 and Appexdix C). Due to dependency on getsockopt(IP_MTU), currently it should work on Linux only.
https://github.com/hdais/nsd-avoid-fragmentation#avoid-fragmentation-implementation-for-nsd https://github.com/hdais/nsd-avoid-fragmentation/commit/e34931ece95d4bcc20d71d3f3a18e037d2772f23 I did several tests on avoid-fragmentation, and got some findings or questions: - avoid-fragmentation (current draft) can be implemented by small modifications as you can see above. - A first response (to requester with small PMTU) can be lost because nobody knows PMTU for destination that a large packet was never sent. It slows down name resolution - Fortunately this is not a big problem because 1) will be recovered by retransmission by the requestor 2) This rarely occurs. Most advertised EDNS bufsize fits in most MTU (slightly smaller than 1500) thanks to DNS flag day 2020. - Possible TCP fallback attack. An attacker can spoof the PMTU by sending a fake ICMP NEEDFRAG with small MTU (like 512) and triggers TCP fallback for any requester/responder session (e.g. DNS sessions between large DNS authoritative services and large ISP DNS resolver). - API to get PMTU to any destination is available on many platforms (other than Linux)? I really concern about TCP fallback attack. Most DNS servers / resolvers are not yet prepared with the resources to handle many TCP requests. We need some protection or PMTU probing method not depending on ICMP. > Section 3.4 of [RFC1122] specifies FIND_MAXSIZES() as one of > "INTERNET/TRANSPORT LAYER INTERFACEs". That should be GET_MAXSIZES() in RFC1122. (But is it available many platform?) -- Daisuke Higashi _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
