- Set max-udp-size default to 1232. This is the same default value as

  the default value for edns-buffer-size. It restricts client edns
  buffer size choices, and makes unbound behave similar to other DNS
  resolvers. The new choice, down from 4096 means it is harder to get
  large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
  Tsinghua University.

diff --git a/doc/Changelog b/doc/Changelog
index 4fd636e36fd9c1525ae184ca7a0ab17525019f0b..6ba6ead0348d7a5d56b41c34f3f145a66e7d12f2 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,11 @@
+19 January 2023: Wouter
+       - Set max-udp-size default to 1232. This is the same default value as
+         the default value for edns-buffer-size. It restricts client edns
+         buffer size choices, and makes unbound behave similar to other DNS
+         resolvers. The new choice, down from 4096 means it is harder to get
+         large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
+         Tsinghua University.
+
 18 January 2023: Wouter
        - Fix not following cleared RD flags potentially enables amplification
          DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,

diff --git a/doc/example.conf.in b/doc/example.conf.in
index 47c3c48912afb8576fc37ea9c7a59ce947695c0b..1e74f70290a0db64740b59641f2488af5b7430f9 100644 (file)
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -143,8 +143,8 @@ server:
        # edns-buffer-size: 1232
 
        # Maximum UDP response size (not applied to TCP response).
-       # Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
-       # max-udp-size: 4096
+       # Suggested values are 512 to 4096. Default is 1232. 65536 disables it.
+       # max-udp-size: 1232
 
        # max memory to use for stream(tcp and tls) waiting result buffers.
        # stream-wait-size: 4m

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 572ebc34f9e0a26c6961f57b49e0457746483c77..aaf900a8c335fd69d8f2f4ad4c1b0858d3d714ba 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -233,7 +233,8 @@ number).
 .B max\-udp\-size: \fI<number>
 Maximum UDP response size (not applied to TCP response).  65536 disables the
 udp response size maximum, and uses the choice from the client, always.
-Suggested values are 512 to 4096. Default is 4096.
+Suggested values are 512 to 4096. Default is 1232. The default value is the
+same as the default for edns\-buffer\-size.
 .TP
 .B stream\-wait\-size: \fI<number>
 Number of bytes size maximum to use for waiting stream buffers.  Default is

diff --git a/util/config_file.c b/util/config_file.c
index e3a77053709feb41b7c2444f3accf62dc9c34b0f..843bec2faf552391947bf4a76947b24cb21a9ed0 100644 (file)
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -300,7 +300,7 @@ config_create(void)
        cfg->minimal_responses = 1;
        cfg->rrset_roundrobin = 1;
        cfg->unknown_server_time_limit = 376;
-       cfg->max_udp_size = 4096;
+       cfg->max_udp_size = 1232; /* value taken from edns_buffer_size */
        if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key"))) 
                goto error_exit;
        if(!(cfg->server_cert_file = strdup(RUN_DIR"/unbound_server.pem")))