Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Rework validate-by-DS to avoid DoS vuln without arbitrary limits.

Browse Source 
By calculating the hash of a DNSKEY once for each digest algo,
we reduce the hashing work from (no. DS) x (no. DNSKEY) to
(no. DNSKEY) x (no. distinct digests)

The number of distinct digests can never be more than 255 and
it's limited by which hashes we implement, so currently only 4.
This commit is contained in:
Simon Kelley
2024-01-04 15:57:43 +00:00
parent 06945c4b77
commit 6f23a0a75e
5 changed files with 150 additions and 166 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/config.h
View File

@@ -23,10 +23,8 @@
#define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
#define LIMIT_KEY_FAIL 15 /* Number of keys that can fail DS validate in one an answer. */
#define LIMIT_DS_FAIL 5 /* Number of DS records that can fail to validate a key in one answer */
#define LIMIT_SIG_FAIL 10 /* Number of signature that can fail to validate in one answer */
#define LIMIT_CRYPTO 40 /* max no. of crypto operations to validate one a query. */
#define LIMIT_SIG_FAIL 20 /* Number of signature that can fail to validate in one answer */
#define LIMIT_CRYPTO 200 /* max no. of crypto operations to validate one a query. */
#define LIMIT_NSEC3_ITERS 150 /* Max. number if iterations allow in NSEC3 record. */
#define TIMEOUT 10 /* drop UDP queries after TIMEOUT seconds */
#define SMALL_PORT_RANGE 30 /* If DNS port range is smaller than this, use different allocation. */