From: bert hubert Date: Fri, 18 Apr 2014 06:48:43 +0000 (+0200) Subject: implement minimum-ttl-override setting and rec_constrol set-minimum-ttl for dealing... X-Git-Tag: rec-3.6.0-rc1~57 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aadceba89c87c60b76a6939a4a113d108c2fe3df;p=thirdparty%2Fpdns.git implement minimum-ttl-override setting and rec_constrol set-minimum-ttl for dealing with DoS --- diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 2bcbf62531..b1c08446f3 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -1793,6 +1793,8 @@ int serviceMain(int argc, char*argv[]) g_quiet=false; } + SyncRes::s_minimumTTL = ::arg().asNum("minimum-ttl-override"); + checkLinuxIPv6Limits(); try { vector addrs; @@ -2153,6 +2155,7 @@ int main(int argc, char **argv) ::arg().setSwitch( "pdns-distributes-queries", "If PowerDNS itself should distribute queries over threads (EXPERIMENTAL)")="no"; ::arg().setSwitch( "any-to-tcp","Answer ANY queries with tc=1, shunting to TCP" )="no"; ::arg().set("udp-truncation-threshold", "Maximum UDP response size before we truncate")="1680"; + ::arg().set("minimum-ttl-override", "Set under adverse conditions, a minimum TTL")="0"; ::arg().set("include-dir","Include *.conf files from this directory")=""; diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc index 1378addb56..207da8186e 100644 --- a/pdns/rec_channel_rec.cc +++ b/pdns/rec_channel_rec.cc @@ -246,6 +246,16 @@ string doWipeCache(T begin, T end) return "wiped "+lexical_cast(count)+" records, "+lexical_cast(countNeg)+" negative records\n"; } +template +string setMinimumTTL(T begin, T end) +{ + if(end-begin != 1) + return "Need to supply new minimum TTL number\n"; + SyncRes::s_minimumTTL = atoi(begin->c_str()); + return "New minimum TTL: " + lexical_cast(SyncRes::s_minimumTTL) + "\n"; +} + + static uint64_t getSysTimeMsec() { struct rusage ru; @@ -620,6 +630,7 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP "reload-acls reload ACLS\n" "reload-lua-script [filename] (re)load Lua script\n" "reload-zones reload all auth and forward zones\n" +"set-minimum-ttl value set mininum-ttl-override\n" "trace-regex regex emit resolution trace for matching queries\n" "top-remotes show top remotes\n" "unload-lua-script unload Lua script\n" @@ -699,6 +710,10 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP if(cmd=="reload-zones") { return reloadAuthAndForwards(); } + + if(cmd=="set-minimum-ttl") { + return setMinimumTTL(begin, end); + } if(cmd=="get-qtypelist") { return g_rs.getQTypeReport(); diff --git a/pdns/syncres.cc b/pdns/syncres.cc index 9e3ae6c748..400d8f700d 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -59,6 +59,7 @@ unsigned int SyncRes::s_throttledqueries; unsigned int SyncRes::s_dontqueries; unsigned int SyncRes::s_nodelegated; unsigned int SyncRes::s_unreachables; +unsigned int SyncRes::s_minimumTTL; bool SyncRes::s_doIPv6; bool SyncRes::s_nopacketcache; @@ -1005,6 +1006,12 @@ int SyncRes::doResolveAt(set nameservers, string auth, t_sstorage->nsSpeeds[*tns].submit(*remoteIP, lwr.d_usec, &d_now); } + if(s_minimumTTL) { + for(LWResult::res_t::iterator i=lwr.d_result.begin();i != lwr.d_result.end();++i) { + i->ttl = max(i->ttl, s_minimumTTL); + } + } + typedef map, set, TCacheComp > tcache_t; tcache_t tcache; diff --git a/pdns/syncres.hh b/pdns/syncres.hh index c15489f987..6a8840b838 100644 --- a/pdns/syncres.hh +++ b/pdns/syncres.hh @@ -289,6 +289,7 @@ public: static unsigned int s_tcpoutqueries; static unsigned int s_nodelegated; static unsigned int s_unreachables; + static unsigned int s_minimumTTL; static bool s_doAAAAAdditionalProcessing; static bool s_doAdditionalProcessing; static bool s_doIPv6;