| From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001 |
| From: Simon Kelley <simon@thekelleys.org.uk> |
| Date: Tue, 7 Mar 2023 22:07:46 +0000 |
| Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. |
| |
| http://www.dnsflagday.net/2020/ refers. |
| |
| Thanks to Xiang Li for the prompt. |
| |
| CVE: CVE-2023-28450 |
| Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5] |
| |
| Signed-off-by: Peter Marko <peter.marko@siemens.com> |
| --- |
| man/dnsmasq.8 | 3 ++- |
| src/config.h | 2 +- |
| 2 files changed, 3 insertions(+), 2 deletions(-) |
| |
| diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 |
| index 41e2e04..5acb935 100644 |
| --- a/man/dnsmasq.8 |
| +++ b/man/dnsmasq.8 |
| @@ -183,7 +183,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP. |
| .TP |
| .B \-P, --edns-packet-max=<size> |
| Specify the largest EDNS.0 UDP packet which is supported by the DNS |
| -forwarder. Defaults to 4096, which is the RFC5625-recommended size. |
| +forwarder. Defaults to 1232, which is the recommended size following the |
| +DNS flag day in 2020. Only increase if you know what you are doing. |
| .TP |
| .B \-Q, --query-port=<query_port> |
| Send outbound DNS queries from, and listen for their replies on, the |
| diff --git a/src/config.h b/src/config.h |
| index 1e7b30f..37b374e 100644 |
| --- a/src/config.h |
| +++ b/src/config.h |
| @@ -19,7 +19,7 @@ |
| #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ |
| #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ |
| #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ |
| -#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ |
| +#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ |
| #define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */ |
| #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ |
| #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ |
| -- |
| 2.20.1 |
| |