summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSeonah Moon <seonah1.moon@samsung.com>2023-06-22 15:49:05 +0900
committerSeonah Moon <seonah1.moon@samsung.com>2023-06-22 15:49:07 +0900
commitbdca4764397ab00df3f5ce355c7b7d6ad5246a0f (patch)
tree9ca6b385fb217a0024c92616e568c6c313132cf0
parentc142c491503f3be06012c038d065945228ae4456 (diff)
downloaddnsmasq-bdca4764397ab00df3f5ce355c7b7d6ad5246a0f.tar.gz
dnsmasq-bdca4764397ab00df3f5ce355c7b7d6ad5246a0f.tar.bz2
dnsmasq-bdca4764397ab00df3f5ce355c7b7d6ad5246a0f.zip
Set the default maximum DNS UDP packet size to 1232.accepted/tizen/6.0/unified/20230626.074936tizen_6.0accepted/tizen_6.0_unified
http://www.dnsflagday.net/2020/ refers. Thanks to Xiang Li for the prompt. https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 CVE-2023-28450 Change-Id: I7326e1a5f2ce2a69f3a8c166c3d6d79f1f5955dd
-rw-r--r--CHANGELOG8
-rw-r--r--man/dnsmasq.83
-rw-r--r--src/config.h2
3 files changed, 11 insertions, 2 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 35c1b06..45316f8 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -28,6 +28,14 @@ Backpored patch
first query completes, the answer can be sent to all the
clients who asked. Refer: CERT CVE-2020-25686.
+ Set the default maximum DNS UDP packet sice to 1232. This
+ has been the recommended value since 2020 because it's the
+ largest value that avoid fragmentation, and fragmentation
+ is just not reliable on the modern internet, especially
+ for IPv6. It's still possible to override this with
+ --edns-packet-max for special circumstances.
+
+
version 2.79
Fix parsing of CNAME arguments, which are confused by extra spaces.
Thanks to Diego Aguirre for spotting the bug.
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index bd99b48..2e1df49 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -168,7 +168,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
.TP
.B \-P, --edns-packet-max=<size>
Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
.TP
.B \-Q, --query-port=<query_port>
Send outbound DNS queries from, and listen for their replies on, the
diff --git a/src/config.h b/src/config.h
index 67a5ac5..c924908 100644
--- a/src/config.h
+++ b/src/config.h
@@ -21,7 +21,7 @@
#define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
#define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
#define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */
#define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
#define DNSSEC_WORK 50 /* Max number of queries to validate one question */