Force outgoing ANY queries to use TCP by default

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst
index 2b199e8f00d5cb1d8cddd58fa16c54cb40f6cf05..20aa1eb383f098c2768ff1830723d5afa9e17335 100644 (file)
--- a/pdns/recursordist/docs/upgrade.rst
+++ b/pdns/recursordist/docs/upgrade.rst
@@ -13,6 +13,7 @@ New Settings
 - The :ref:`setting-yaml-outgoing.cookies` setting has been introduced to implement cookie support for contacting authoritative servers and forwarders. See :rfc:`7873` and :rfc:`9018`.
 - The :ref:`setting-yaml-outgoing.cookies_unsupported` setting has been introduced to permanently mark authoritative servers as not supporting cookies.
 - The :ref:`setting-yaml-outgoing.tls_configurations` setting has been introduced to be able to force certificate validation and other properties of outgoing DoT connections.
+- The :ref:`setting-yaml-outgoing.any_to_tcp` setting has been introduced to force outgoing ANY queries to TCP.
 
 Changed Settings
 ^^^^^^^^^^^^^^^^

diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc
index 6dfbfd18bda81f69517dd42bf79d1d135beeb958..b208fa29f93ce35ac24d2d69821daa7ac7755fc1 100644 (file)
--- a/pdns/recursordist/rec-main.cc
+++ b/pdns/recursordist/rec-main.cc
@@ -1838,6 +1838,7 @@ static int initSyncRes(Logr::log_t log)
   SyncRes::parseEDNSSubnetAllowlist(::arg()["edns-subnet-allow-list"]);
   SyncRes::parseEDNSSubnetAddFor(::arg()["ecs-add-for"]);
   g_useIncomingECS = ::arg().mustDo("use-incoming-edns-subnet");
+  SyncRes::s_outAnyToTcp = ::arg().mustDo("out-any-to-tcp");
   return 0;
 }
 

diff --git a/pdns/recursordist/rec-rust-lib/table.py b/pdns/recursordist/rec-rust-lib/table.py
index 6ec67c80f0550849a3769fea9a69da61788d367b..02e1545c156d5cdba0b5319775fc3f1509ab97e9 100644 (file)
--- a/pdns/recursordist/rec-rust-lib/table.py
+++ b/pdns/recursordist/rec-rust-lib/table.py
@@ -225,6 +225,18 @@ Useful for mitigating ANY reflection attacks.
  ''',
     'versionchanged': ('5.4.0', 'Default is enabled now, was disabled before 5.4.0'),
     },
+    {
+        'name' : 'any_to_tcp',
+        'oldname': 'out-any-to-tcp',
+        'section' : 'outgoing',
+        'type' : LType.Bool,
+        'default' : 'true',
+        'help' : 'Use TCP for ANY queries to authoritative servers',
+        'doc' : '''
+Send out requests with qtype `ANY` using TCP.
+ ''',
+    'versionadded': '5.4.0',
+    },
     {
         'name' : 'allow_trust_anchor_query',
         'section' : 'recursor',

diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc
index e9e47d04de9f5cd0d804367d1a56395e1ce117fb..83189097d9c7e45c6d540d6fe72a4dfe4bffa862 100644 (file)
--- a/pdns/recursordist/syncres.cc
+++ b/pdns/recursordist/syncres.cc
@@ -384,6 +384,7 @@ bool SyncRes::s_doIPv6;
 bool SyncRes::s_rootNXTrust;
 bool SyncRes::s_noEDNS;
 bool SyncRes::s_qnameminimization;
+bool SyncRes::s_outAnyToTcp;
 SyncRes::HardenNXD SyncRes::s_hardenNXD;
 unsigned int SyncRes::s_refresh_ttlperc;
 unsigned int SyncRes::s_locked_ttlperc;
@@ -5997,7 +5998,7 @@ int SyncRes::doResolveAt(NsSet& nameservers, DNSName auth, bool flawedNSSet, con
           if (SyncRes::s_dot_to_port_853 && remoteIP->getPort() == 853) {
             doDoT = true;
           }
-          bool forceTCP = doDoT;
+          bool forceTCP = doDoT || (qtype == QType::ANY && s_outAnyToTcp);
 
           if (!doDoT && s_max_busy_dot_probes > 0) {
             submitTryDotTask(*remoteIP, auth, tns->first, d_now.tv_sec);

diff --git a/pdns/recursordist/syncres.hh b/pdns/recursordist/syncres.hh
index 0f3d0bf8f9d6254e036a1a50f9f8469424547035..ce482f5bdb5a2724423acd832f94ed971b14e734 100644 (file)
--- a/pdns/recursordist/syncres.hh
+++ b/pdns/recursordist/syncres.hh
@@ -560,6 +560,7 @@ public:
   static bool s_noEDNS;
   static bool s_rootNXTrust;
   static bool s_qnameminimization;
+  static bool s_outAnyToTcp;
   static HardenNXD s_hardenNXD;
   static unsigned int s_refresh_ttlperc;
   static unsigned int s_locked_ttlperc;