From 3e7b76608442619a67ae1c69bfa8423857572893 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 25 Mar 2017 17:00:53 -0500 Subject: [PATCH] Improve default padding of responses. At NDSS 2017's DNS privacy workshop, I presented an empirical study of DNS padding policies: https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017/dns-privacy-workshop-2017-programme#session3 The slide deck is here: https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf The resulting recommendation from the research is that a simple padding policy is relatively cheap and still protective of metadata when DNS traffic is encrypted: * queries should be padded to a multiple of 128 octets * responses should be padded to a multiple of 468 octets This change adjusts the default policy to match these recommendations. I recently proposed a similar change to libknot to define a standard policy in a centralized place: https://gitlab.labs.nic.cz/labs/knot/merge_requests/692 I'll submit a followup request to make use of that centralized policy (once kresd is willing to depend on a newer version of libknot), but please consider this proposed change first. --- lib/defines.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/defines.h b/lib/defines.h index 5653c0436..2621a7ac3 100644 --- a/lib/defines.h +++ b/lib/defines.h @@ -69,7 +69,7 @@ static inline int __attribute__((__cold__)) kr_error(int x) { #define KR_DNS_TLS_PORT 853 #define KR_EDNS_VERSION 0 #define KR_EDNS_PAYLOAD 4096 /* Default UDP payload (max unfragmented UDP is 1452B) */ -#define KR_DEFAULT_TLS_PADDING 128 /* Default EDNS(0) Padding is 128 */ +#define KR_DEFAULT_TLS_PADDING 468 /* Default EDNS(0) Padding is 468 */ #define KR_CACHE_DEFAULT_MAXTTL (6 * 24 * 3600) /* 6 days, like the root NS TTL */ /* -- 2.47.3