Prevent AXFR over UDP #4450
Labels
Comments
miekg
added a commit
that referenced
this issue
Feb 5, 2021
Return refused when the query comes in over udp. No need to add a new test case as the current crop needed to be changed to use TCP. Fixes: #4450 Signed-off-by: Miek Gieben <[email protected]>
miekg
added a commit
that referenced
this issue
Feb 5, 2021
* plugin/transfer: only allow outgoing axfr over tcp Return refused when the query comes in over udp. No need to add a new test case as the current crop needed to be changed to use TCP. Fixes: #4450 Signed-off-by: Miek Gieben <[email protected]> * transfer tests: this needs tcp as well Signed-off-by: Miek Gieben <[email protected]>
|
For reference: https://tools.ietf.org/html/rfc5936#section-4.2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened: When sending an AXFR request over UDP (which typical clients like
digprevents you from doing), CoreDNS will happily reply over UDP, which has the potential of generating big payloads and used as an amplification vector.What you expected to happen: AXFR to be limited in size and force TC or possibly return NOTIMPL (like root AXFR server do for instance)
How to reproduce it (as minimally and precisely as possible):
Using a modified miekg/exdns 's q.o
Running:
With a Corefile:
using the modified q.go:
we can see that CoreDNS would reply to the AXFR request over UDP.
Anything else we need to know?:
Environment:
cat /etc/os-release):Ubuntu 20.10
The text was updated successfully, but these errors were encountered: