1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 7 Mar 2023 22:07:46 +0000
Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232.
Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5]
CVE: CVE-2023-28450
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
CHANGELOG | 8 ++++++++
man/dnsmasq.8 | 3 ++-
src/config.h | 2 +-
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index d1d7e41..7a560d3 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -91,6 +91,14 @@ version 2.81
Fix write-after-free error in DHCPv6 server code.
CVE-2022-0934 refers.
+ Set the default maximum DNS UDP packet sice to 1232. This
+ has been the recommended value since 2020 because it's the
+ largest value that avoid fragmentation, and fragmentation
+ is just not reliable on the modern internet, especially
+ for IPv6. It's still possible to override this with
+ --edns-packet-max for special circumstances.
+
+
version 2.80
Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
for the initial patch and motivation.
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index f2803f9..3cca4bc 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -168,7 +168,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
.TP
.B \-P, --edns-packet-max=<size>
Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
.TP
.B \-Q, --query-port=<query_port>
Send outbound DNS queries from, and listen for their replies on, the
diff --git a/src/config.h b/src/config.h
index 54f6f48..29ac3e7 100644
--- a/src/config.h
+++ b/src/config.h
@@ -19,7 +19,7 @@
#define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
#define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
#define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */
#define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
--
2.18.2
|
