From: Otto Moerbeek Date: Wed, 26 Nov 2025 11:37:25 +0000 (+0100) Subject: Force outgoing ANY queries to use TCP by default X-Git-Tag: rec-5.4.0-alpha1~37^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa8246206c2820ae34619edf67f6bd4aab7d487c;p=thirdparty%2Fpdns.git Force outgoing ANY queries to use TCP by default Signed-off-by: Otto Moerbeek --- diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst index 2b199e8f00..20aa1eb383 100644 --- a/pdns/recursordist/docs/upgrade.rst +++ b/pdns/recursordist/docs/upgrade.rst @@ -13,6 +13,7 @@ New Settings - The :ref:`setting-yaml-outgoing.cookies` setting has been introduced to implement cookie support for contacting authoritative servers and forwarders. See :rfc:`7873` and :rfc:`9018`. - The :ref:`setting-yaml-outgoing.cookies_unsupported` setting has been introduced to permanently mark authoritative servers as not supporting cookies. - The :ref:`setting-yaml-outgoing.tls_configurations` setting has been introduced to be able to force certificate validation and other properties of outgoing DoT connections. +- The :ref:`setting-yaml-outgoing.any_to_tcp` setting has been introduced to force outgoing ANY queries to TCP. Changed Settings ^^^^^^^^^^^^^^^^ diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc index 6dfbfd18bd..b208fa29f9 100644 --- a/pdns/recursordist/rec-main.cc +++ b/pdns/recursordist/rec-main.cc @@ -1838,6 +1838,7 @@ static int initSyncRes(Logr::log_t log) SyncRes::parseEDNSSubnetAllowlist(::arg()["edns-subnet-allow-list"]); SyncRes::parseEDNSSubnetAddFor(::arg()["ecs-add-for"]); g_useIncomingECS = ::arg().mustDo("use-incoming-edns-subnet"); + SyncRes::s_outAnyToTcp = ::arg().mustDo("out-any-to-tcp"); return 0; } diff --git a/pdns/recursordist/rec-rust-lib/table.py b/pdns/recursordist/rec-rust-lib/table.py index 6ec67c80f0..02e1545c15 100644 --- a/pdns/recursordist/rec-rust-lib/table.py +++ b/pdns/recursordist/rec-rust-lib/table.py @@ -225,6 +225,18 @@ Useful for mitigating ANY reflection attacks. ''', 'versionchanged': ('5.4.0', 'Default is enabled now, was disabled before 5.4.0'), }, + { + 'name' : 'any_to_tcp', + 'oldname': 'out-any-to-tcp', + 'section' : 'outgoing', + 'type' : LType.Bool, + 'default' : 'true', + 'help' : 'Use TCP for ANY queries to authoritative servers', + 'doc' : ''' +Send out requests with qtype `ANY` using TCP. + ''', + 'versionadded': '5.4.0', + }, { 'name' : 'allow_trust_anchor_query', 'section' : 'recursor', diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc index e9e47d04de..83189097d9 100644 --- a/pdns/recursordist/syncres.cc +++ b/pdns/recursordist/syncres.cc @@ -384,6 +384,7 @@ bool SyncRes::s_doIPv6; bool SyncRes::s_rootNXTrust; bool SyncRes::s_noEDNS; bool SyncRes::s_qnameminimization; +bool SyncRes::s_outAnyToTcp; SyncRes::HardenNXD SyncRes::s_hardenNXD; unsigned int SyncRes::s_refresh_ttlperc; unsigned int SyncRes::s_locked_ttlperc; @@ -5997,7 +5998,7 @@ int SyncRes::doResolveAt(NsSet& nameservers, DNSName auth, bool flawedNSSet, con if (SyncRes::s_dot_to_port_853 && remoteIP->getPort() == 853) { doDoT = true; } - bool forceTCP = doDoT; + bool forceTCP = doDoT || (qtype == QType::ANY && s_outAnyToTcp); if (!doDoT && s_max_busy_dot_probes > 0) { submitTryDotTask(*remoteIP, auth, tns->first, d_now.tv_sec); diff --git a/pdns/recursordist/syncres.hh b/pdns/recursordist/syncres.hh index 0f3d0bf8f9..ce482f5bdb 100644 --- a/pdns/recursordist/syncres.hh +++ b/pdns/recursordist/syncres.hh @@ -560,6 +560,7 @@ public: static bool s_noEDNS; static bool s_rootNXTrust; static bool s_qnameminimization; + static bool s_outAnyToTcp; static HardenNXD s_hardenNXD; static unsigned int s_refresh_ttlperc; static unsigned int s_locked_ttlperc;