Bugzilla – Bug 4235
IP_PMTUDISC_OMIT on IPv4/UDP sockets
Last modified: 2019-03-11 12:32:41 CET
Created attachment 566 [details]
IP_PMTUDISC_OMIT patch for NSD 4.1.26
Linux 3.15 introduced a new socket option IP_PMTUDISC_OMIT which makes sockets ignore PMTU information and send packets with DF=0. With this sockopt fragmentation is allowed if and only if the packet size exceeds the outgoing interface MTU or the packet encounters smaller MTU link in network.
By preventing forged PMTU information, setting IP_PMTUDISC_OMIT (instead of IP_PMTUDISC_DONT) to DNS responder's IPv4/UDP socket mitigates DNS fragmentation attacks  Some DNS implementations already have this feature .
Patch for NSD 4.1.26 to set IP_PMTUDISC_OMIT to IPv4/UDP sockets (if available) attached.
 Linux kernel introduced IP*_PMTUDISC_OMIT
 IP fragmentation attack on DNS
 Unbound 1.5.0 introduced this feature.
 BIND 9.9.10 introduced this feature.
Thank you for this patch. Preventing fragmentation issues is very good to have. I have included the patch.
I moved the action_dont variable declaration inside braces to avoid statements before variable definition warnings.
Best regards, Wouter