diff options
author | Seonah Moon <seonah1.moon@samsung.com> | 2023-06-22 15:49:05 +0900 |
---|---|---|
committer | Seonah Moon <seonah1.moon@samsung.com> | 2023-06-22 15:49:07 +0900 |
commit | bdca4764397ab00df3f5ce355c7b7d6ad5246a0f (patch) | |
tree | 9ca6b385fb217a0024c92616e568c6c313132cf0 | |
parent | c142c491503f3be06012c038d065945228ae4456 (diff) | |
download | dnsmasq-accepted/tizen_6.0_unified.tar.gz dnsmasq-accepted/tizen_6.0_unified.tar.bz2 dnsmasq-accepted/tizen_6.0_unified.zip |
Set the default maximum DNS UDP packet size to 1232.accepted/tizen/6.0/unified/20230626.074936tizen_6.0accepted/tizen_6.0_unified
http://www.dnsflagday.net/2020/ refers.
Thanks to Xiang Li for the prompt.
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5
CVE-2023-28450
Change-Id: I7326e1a5f2ce2a69f3a8c166c3d6d79f1f5955dd
-rw-r--r-- | CHANGELOG | 8 | ||||
-rw-r--r-- | man/dnsmasq.8 | 3 | ||||
-rw-r--r-- | src/config.h | 2 |
3 files changed, 11 insertions, 2 deletions
@@ -28,6 +28,14 @@ Backpored patch first query completes, the answer can be sent to all the clients who asked. Refer: CERT CVE-2020-25686. + Set the default maximum DNS UDP packet sice to 1232. This + has been the recommended value since 2020 because it's the + largest value that avoid fragmentation, and fragmentation + is just not reliable on the modern internet, especially + for IPv6. It's still possible to override this with + --edns-packet-max for special circumstances. + + version 2.79 Fix parsing of CNAME arguments, which are confused by extra spaces. Thanks to Diego Aguirre for spotting the bug. diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index bd99b48..2e1df49 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -168,7 +168,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP. .TP .B \-P, --edns-packet-max=<size> Specify the largest EDNS.0 UDP packet which is supported by the DNS -forwarder. Defaults to 4096, which is the RFC5625-recommended size. +forwarder. Defaults to 1232, which is the recommended size following the +DNS flag day in 2020. Only increase if you know what you are doing. .TP .B \-Q, --query-port=<query_port> Send outbound DNS queries from, and listen for their replies on, the diff --git a/src/config.h b/src/config.h index 67a5ac5..c924908 100644 --- a/src/config.h +++ b/src/config.h @@ -21,7 +21,7 @@ #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ -#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ +#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */ #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ |