]> git.ipfire.org Git - thirdparty/unbound.git/commitdiff
- drop-tld.diff: adds option drop-tld: yesno that drops 2 label
authorW.C.A. Wijngaards <wouter@nlnetlabs.nl>
Tue, 22 Oct 2019 08:32:37 +0000 (10:32 +0200)
committerW.C.A. Wijngaards <wouter@nlnetlabs.nl>
Tue, 22 Oct 2019 08:32:37 +0000 (10:32 +0200)
  queries, to stop random floods.  Apply with
  patch -p1 < contrib/drop-tld.diff and compile.
  From Saksham Manchanda (Secure64).  Please note that we think this
  will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
  lookups for downstream clients.

contrib/README
contrib/drop-tld.diff [new file with mode: 0644]
doc/Changelog

index 262ccc7db42d4b1d1b1cb822a88c1aabb51a5829..988b59435ba2a960b44f076649ddca6e1c12d0b8 100644 (file)
@@ -40,3 +40,8 @@ distribution but may be helpful.
   redis backend) redis Python modules.
 * unbound-fuzzme.patch: adds unbound-fuzzme program that parses a packet from
   stdin.  Used with fuzzers, patch from Jacob Hoffman-Andrews.
+* drop-tld.diff: adds option drop-tld: yesno that drops 2 label queries,
+  to stop random floods.  Apply with patch -p1 < contrib/drop-tld.diff and
+  compile.  From Saksham Manchanda (Secure64).  Please note that we think
+  this will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
+  lookups for downstream clients.
diff --git a/contrib/drop-tld.diff b/contrib/drop-tld.diff
new file mode 100644 (file)
index 0000000..173825b
--- /dev/null
@@ -0,0 +1,82 @@
+diff --git a/daemon/worker.c b/daemon/worker.c
+index 263fcdd..f787b70 100644
+--- a/daemon/worker.c
++++ b/daemon/worker.c
+@@ -1213,6 +1213,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
+               addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
+               log_query_in(ip, qinfo.qname, qinfo.qtype, qinfo.qclass);
+       }
++
++      if(worker->env.cfg->drop_tld) {
++              int lab = dname_count_labels(qinfo.qname);
++              if (lab == 2) {
++                      comm_point_drop_reply(repinfo);
++                      verbose(VERB_ALGO, "Dropping one label query.");
++                      return 0;
++              }
++      }
+       if(qinfo.qtype == LDNS_RR_TYPE_AXFR || 
+               qinfo.qtype == LDNS_RR_TYPE_IXFR) {
+               verbose(VERB_ALGO, "worker request: refused zone transfer.");
+diff --git a/util/config_file.h b/util/config_file.h
+index b3ef930..2791541 100644
+--- a/util/config_file.h
++++ b/util/config_file.h
+@@ -274,6 +274,8 @@ struct config_file {
+       int prefetch_key;
+       /** deny queries of type ANY with an empty answer */
+       int deny_any;
++      /** Drop TLD queries from clients **/
++      int drop_tld;
+       /** chrootdir, if not "" or chroot will be done */
+       char* chrootdir;
+diff --git a/util/configlexer.lex b/util/configlexer.lex
+index a86ddf5..9bbedbb 100644
+--- a/util/configlexer.lex
++++ b/util/configlexer.lex
+@@ -299,6 +299,7 @@ private-domain{COLON}              { YDVAR(1, VAR_PRIVATE_DOMAIN) }
+ prefetch-key{COLON}           { YDVAR(1, VAR_PREFETCH_KEY) }
+ prefetch{COLON}                       { YDVAR(1, VAR_PREFETCH) }
+ deny-any{COLON}                       { YDVAR(1, VAR_DENY_ANY) }
++drop-tld{COLON}                       { YDVAR(1, VAR_DROP_TLD) }
+ stub-zone{COLON}              { YDVAR(0, VAR_STUB_ZONE) }
+ name{COLON}                   { YDVAR(1, VAR_NAME) }
+ stub-addr{COLON}              { YDVAR(1, VAR_STUB_ADDR) }
+diff --git a/util/configparser.y b/util/configparser.y
+index 10227a2..567d68e 100644
+--- a/util/configparser.y
++++ b/util/configparser.y
+@@ -164,6 +164,7 @@ extern struct config_parser_state* cfg_parser;
+ %token VAR_FAST_SERVER_PERMIL VAR_FAST_SERVER_NUM
+ %token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT VAR_TCP_CONNECTION_LIMIT
+ %token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL VAR_DENY_ANY
++%token VAR_DROP_TLD
+ %token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
+ %token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES
+ %token VAR_TLS_SESSION_TICKET_KEYS
+@@ -266,6 +267,7 @@ content_server: server_num_threads | server_verbosity | server_port |
+       server_tls_cert_bundle | server_tls_additional_port | server_low_rtt |
+       server_fast_server_permil | server_fast_server_num  | server_tls_win_cert |
+       server_tcp_connection_limit | server_log_servfail | server_deny_any |
++      server_drop_tld |
+       server_unknown_server_time_limit | server_log_tag_queryreply |
+       server_stream_wait_size | server_tls_ciphers |
+       server_tls_ciphersuites | server_tls_session_ticket_keys
+@@ -1466,6 +1468,16 @@ server_deny_any: VAR_DENY_ANY STRING_ARG
+               free($2);
+       }
+       ;
++
++server_drop_tld: VAR_DROP_TLD STRING_ARG
++      {
++              OUTYY(("P(server_drop_tld:%s)\n", $2));
++              if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
++                      yyerror("expected yes or no.");
++              else cfg_parser->cfg->drop_tld = (strcmp($2, "yes")==0);
++              free($2);
++      }
++      ;
+ server_unwanted_reply_threshold: VAR_UNWANTED_REPLY_THRESHOLD STRING_ARG
+       {
+               OUTYY(("P(server_unwanted_reply_threshold:%s)\n", $2));
index a87776c6b5849d83e60971e7b7efdf688c7c5b7a..2581f333ed841d7a3ec5b5c230e637121db07bb7 100644 (file)
@@ -1,3 +1,11 @@
+22 October 2019: Wouter
+       - drop-tld.diff: adds option drop-tld: yesno that drops 2 label
+         queries, to stop random floods.  Apply with
+         patch -p1 < contrib/drop-tld.diff and compile.
+         From Saksham Manchanda (Secure64).  Please note that we think this
+         will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
+         lookups for downstream clients.
+
 7 October 2019: Wouter
        - Add doxygen comments to unbound-anchor source address code, in #86.