Hi Stephane, I'm creating a patch which adds directive "max-udp-size" and a new ACL action "allow_minimal". You can apply this patch to Unbound-1.4.20 or current trunk.
"max-udp-size" is almost exactly same as BIND9's. ACL action "allow_minimal" is like "allow" but limits UDP response size up to 512 bytes. Essentially it limits amplification rate of DNS traffic reflection attack more aggressively. DNS reflection attack against hosts matching ACL "allow" is still feasible though we have implemented IP address based authorization (RFC5358). "allow_minimal" could mitigate this kind of attack. You can apply "allow_minimal" to users under attack as temporary configuration, or to hosts which queries without EDNS0 (like most stub resolver) as permanent configuration. Any comments? I hope this patch would be applied to mainline. Regards, -- Daisuke HIGASHI <[email protected]> 2013/3/29 Stephane Bortzmeyer <[email protected]>: > I would like to experiment with lower maximum UDP response sizes. With > BIND, I would set max-udp-size. I do not find the equivalent for > Unbound. > > edns-buffer-size: it's what is advertised to the authoritative > servers, I would like a different values for the answers to the > clients. > > msg-buffer-size: it's for TCP as well, I would like something for UDP > only. > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
unbound-maxudp-allowmininal.patch
Description: Binary data
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
