]> git.ipfire.org Git - thirdparty/knot-resolver.git/commit
projects / thirdparty / knot-resolver.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 54f05e4) | patch
mitigate NXNSAttack protocol vulnerability for wildcards in victim zone
authorVladimír Čunát <vladimir.cunat@nic.cz>
Tue, 5 May 2020 09:32:02 +0000 (11:32 +0200)
committerPetr Špaček <petr.spacek@nic.cz>
Mon, 18 May 2020 19:51:19 +0000 (21:51 +0200)
commitba7b89db780fe3884b4e90090318e25ee5afb118
treea22575446934c2b6dec22b787b169c41df5644d8tree
parent54f05e4d7b2e47c0bdd30b84272fc503cc65304bcommit | diff
mitigate NXNSAttack protocol vulnerability for wildcards in victim zone

Attacker might generate fake NS records pointing to victim's DNS zone.
If the zone contains wildcard the attacker might force us into packet
exchange with a (lame) DNS server on that IP address.

We now limit number of consecuctive failures and kill whole request if
limit is exceeded.
daemon/lua/kres-gen.lua diff | blob | blame | history
lib/defines.h diff | blob | blame | history
lib/layer/iterate.c diff | blob | blame | history
lib/resolve.c diff | blob | blame | history
lib/resolve.h diff | blob | blame | history
Mirror of https://gitlab.nic.cz/knot/knot-resolver.git