Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Truncate DNS replies >512 bytes that the client isn't expecting.

Browse Source
This commit is contained in:
Simon Kelley
2015-12-21 17:20:35 +00:00
parent 5bb88f0963
commit 5aa5f0ff2f
2 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/edns0.c
View File

@@ -340,8 +340,7 @@ int check_source(struct dns_header *header, size_t plen, unsigned char *pseudohe
{ {
/* Section 9.2, Check that subnet option in reply matches. */ /* Section 9.2, Check that subnet option in reply matches. */
int len, calc_len;
int len, calc_len;
struct subnet_opt opt; struct subnet_opt opt;
unsigned char *p; unsigned char *p;
int code, i, rdlen; int code, i, rdlen;

17
src/forward.c
View File

@@ -485,8 +485,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
packet size to 512. But that won't provide space for the RRSIGS in many cases. packet size to 512. But that won't provide space for the RRSIGS in many cases.
The RRSIGS will be stripped out before the answer goes back, so the packet should The RRSIGS will be stripped out before the answer goes back, so the packet should
shrink again. So, if we added a do-bit, bump the udp packet size to the value shrink again. So, if we added a do-bit, bump the udp packet size to the value
known to be OK for this server. Maybe check returned size after stripping and set known to be OK for this server. We check returned size after stripping and set
the truncated bit? */ the truncated bit if it's still too big. */
unsigned char *pheader; unsigned char *pheader;
int is_sign; int is_sign;
if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign) if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign)
@@ -1028,6 +1028,19 @@ void reply_query(int fd, int family, time_t now)
{ {
header->id = htons(forward->orig_id); header->id = htons(forward->orig_id);
header->hb4 |= HB4_RA; /* recursion if available */ header->hb4 |= HB4_RA; /* recursion if available */
#ifdef HAVE_DNSSEC
/* We added an EDNSO header for the purpose of getting DNSSEC RRs, and set the value of the UDP payload size
greater than the no-EDNS0-implied 512 to have if space for the RRSIGS. If, having stripped them and the EDNS0
header, the answer is still bigger than 512, truncate it and mark it so. The client then retries with TCP. */
if (option_bool(OPT_DNSSEC_VALID) && (forward->flags & FREC_ADDED_PHEADER) && (nn > PACKETSZ))
{
header->ancount = htons(0);
header->nscount = htons(0);
header->arcount = htons(0);
header->hb3 |= HB3_TC;
nn = resize_packet(header, nn, NULL, 0);
}
#endif
send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
&forward->source, &forward->dest, forward->iface); &forward->source, &forward->dest, forward->iface);
} }