+18 January 2023: Wouter
+ - Fix not following cleared RD flags potentially enables amplification
+ DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,
+ Tsinghua University. The fix stops query loops, by refusing to send
+ RD=0 queries to a forwarder, they still get answered from cache.
+
13 January 2023: Wouter
- Merge #826: Аdd a metric about the maximum number of collisions in
lrushah.
errinf(qstate, "malloc failure for forward zone");
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
+ if((qstate->query_flags&BIT_RD)==0) {
+ /* If the server accepts RD=0 queries and forwards
+ * with RD=1, then if the server is listed as an NS
+ * entry, it starts query loops. Stop that loop by
+ * disallowing the query. The RD=0 was previously used
+ * to check the cache with allow_snoop. For stubs,
+ * the iterator pass would have primed the stub and
+ * then cached information can be used for further
+ * queries. */
+ verbose(VERB_ALGO, "cannot forward RD=0 query, to stop query loops");
+ errinf(qstate, "cannot forward RD=0 query");
+ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
iq->refetch_glue = 0;
iq->minimisation_state = DONOT_MINIMISE_STATE;
/* the request has been forwarded.
projects / thirdparty / unbound.git / commitdiff
