Bug 4235 - IP_PMTUDISC_OMIT on IPv4/UDP sockets
IP_PMTUDISC_OMIT on IPv4/UDP sockets
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: NSD Code
4.1.x
All Linux
: P5 enhancement
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-09 07:20 CET by Daisuke HIGASHI
Modified: 2019-03-11 12:32 CET (History)
1 user (show)

See Also:


Attachments
IP_PMTUDISC_OMIT patch for NSD 4.1.26 (2.18 KB, application/octet-stream)
2019-03-09 07:20 CET, Daisuke HIGASHI
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Daisuke HIGASHI 2019-03-09 07:20:41 CET
Created attachment 566 [details]
IP_PMTUDISC_OMIT patch for NSD 4.1.26

Linux 3.15 introduced a new socket option IP_PMTUDISC_OMIT[1] which makes sockets ignore PMTU information and send packets with DF=0. With this sockopt fragmentation is allowed if and only if the packet size exceeds the outgoing interface MTU or the packet encounters smaller MTU link in network.

By preventing forged PMTU information, setting IP_PMTUDISC_OMIT (instead of IP_PMTUDISC_DONT) to DNS responder's IPv4/UDP socket mitigates DNS fragmentation attacks [2] Some DNS implementations already have this feature [3][4].

Patch for NSD 4.1.26 to set IP_PMTUDISC_OMIT to IPv4/UDP sockets (if available) attached.


[1] Linux kernel introduced IP*_PMTUDISC_OMIT
  https://lists.openwall.net/netdev/2014/02/26/4

[2] IP fragmentation attack on DNS
  https://ripe67.ripe.net/presentations/240-ipfragattack.pdf

[3] Unbound 1.5.0 introduced this feature.
  https://github.com/NLnetLabs/unbound/commit/470b7bda8763c36a7db255d1d981f3ae06d41ba0

[4] BIND 9.9.10 introduced this feature.
  https://www.isc.org/blogs/bind-april-2017/
Comment 1 Wouter Wijngaards 2019-03-11 12:32:41 CET
Hi Daisuke,

Thank you for this patch.  Preventing fragmentation issues is very good to have.  I have included the patch.

I moved the action_dont variable declaration inside braces to avoid statements before variable definition warnings.

Best regards, Wouter