From: bert hubert <bert.hubert@netherlabs.nl>
Date: Tue, 21 May 2013 19:10:06 +0000 (+0200)
Subject: any-to-tcp now feature complete & documented
X-Git-Tag: auth-3.3-rc1~21
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=357f6a75e6632efcdd00ef7cb1ee812d64a9c54a;p=pdns

any-to-tcp now feature complete & documented
---

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index 6cb90fd94..bed919130 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -16,7 +16,7 @@
     Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */
 #include "common_startup.hh"
-
+bool g_anyToTcp;
 typedef Distributor<DNSPacket,DNSPacket,PacketHandler> DNSDistributor;
 
 
@@ -30,7 +30,7 @@ UDPNameserver *N;
 int avg_latency;
 TCPNameserver *TN;
 
-bool g_anyToTCP;
+
 
 ArgvMap &arg()
 {
@@ -102,6 +102,7 @@ void declareArguments()
   ::arg().setSwitch("webserver","Start a webserver for monitoring")="no"; 
   ::arg().setSwitch("webserver-print-arguments","If the webserver should print arguments")="no"; 
   ::arg().setSwitch("edns-subnet-processing","If we should act on EDNS Subnet options")="no"; 
+  ::arg().setSwitch("any-to-tcp","Answer ANY queries with tc=1, shunting to TCP")="no"; 
   ::arg().set("edns-subnet-option-number","EDNS option number to use")="20730"; 
   ::arg().set("webserver-address","IP Address of webserver to listen on")="127.0.0.1";
   ::arg().set("webserver-port","Port of webserver to listen on")="8081";
@@ -331,12 +332,11 @@ void mainthread()
    int newuid=0;      
    if(!::arg()["setuid"].empty())        
      newuid=Utility::makeUidNumeric(::arg()["setuid"]); 
-     
    
+   g_anyToTcp = ::arg().mustDo("any-to-tcp");
    DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing");
-     
+   
 #ifndef WIN32
-
    if(!::arg()["chroot"].empty()) {  
      if(::arg().mustDo("master") || ::arg().mustDo("slave"))
         gethostbyname("a.root-servers.net"); // this forces all lookup libraries to be loaded
@@ -348,6 +348,7 @@ void mainthread()
        L<<Logger::Error<<"Chrooted to '"<<::arg()["chroot"]<<"'"<<endl;      
    }  
 #endif
+
   StatWebServer sws;
   Utility::dropPrivs(newuid, newgid);
 
diff --git a/pdns/common_startup.hh b/pdns/common_startup.hh
index 6fcf28f0a..713884941 100644
--- a/pdns/common_startup.hh
+++ b/pdns/common_startup.hh
@@ -43,12 +43,12 @@ extern CommunicatorClass Communicator;
 extern UDPNameserver *N;
 extern int avg_latency;
 extern TCPNameserver *TN;
-
-
 extern ArgvMap & arg( void );
 extern void declareArguments();
 extern void declareStats();
 extern void mainthread();
 extern int isGuarded( char ** );
 
+extern bool g_anyToTcp;
+
 #endif // COMMON_STARTUP_HH
diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml
index 598fef7b3..42ee10a78 100644
--- a/pdns/docs/pdns.xml
+++ b/pdns/docs/pdns.xml
@@ -14547,6 +14547,11 @@ To enable a Lua script for a particular slave zone, determine the domain_id for
 	      recursion from everywhere. Example: <command>allow-recursion=192.168.0.0/24, 10.0.0.0/8, 1.2.3.4</command>.
 	    </para>
 	  </listitem></varlistentry>
+	  <varlistentry><term>any-to-tcp | any-to-tcp=yes | any-to-tcp=no</term>
+	    <listitem><para>
+		Answer questions for the ANY type on UDP with a truncated packet that refers the 
+		remote server to TCP. Useful for mitigating ANY reflection attacks. Defaults to off. Available since 3.3.
+	      </para></listitem></varlistentry>
 	  <varlistentry><term>cache-ttl=...</term>
 	    <listitem><para>
 		Seconds to store packets in the PacketCache. See <xref linkend="packetcache"/>.
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 8f8d1ef4e..ba5165768 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -38,17 +38,13 @@
 #include "communicator.hh"
 #include "dnsproxy.hh"
 #include "version.hh"
+#include "common_startup.hh"
 
 #if 0
 #undef DLOG
 #define DLOG(x) x
 #endif 
-
-extern StatBag S;
-extern PacketCache PC;  
-extern CommunicatorClass Communicator;
-extern DNSProxy *DP;
-
+ 
 AtomicCounter PacketHandler::s_count;
 extern string s_programname;
 
@@ -1165,7 +1161,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
       return r; 
     }
 
-    L<<Logger::Warning<<"Query for '"<<p->qdomain<<"' "<<p->qtype.getName()<<" from "<<p->getRemote()<<endl;
+    // L<<Logger::Warning<<"Query for '"<<p->qdomain<<"' "<<p->qtype.getName()<<" from "<<p->getRemote()<< " (tcp="<<p->d_tcp<<")"<<endl;
     
     r->d.ra = (p->d.rd && d_doRecursion && DP->recurseFor(p));  // make sure we set ra if rd was set, and we'll do it
 
@@ -1185,8 +1181,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     if(doVersionRequest(p,r,target)) // catch version.bind requests
       goto sendit;
 
-    if(p->qtype.getCode() == QType::ANY) {
-      cerr<<"Shunted it to TCP.."<<endl;
+    if(p->qtype.getCode() == QType::ANY && !p->d_tcp && g_anyToTcp) {
       r->d.tc = 1;
       r->commitD();
       return r;
diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist
index 1da5da19a..a3e10c0c5 100644
--- a/pdns/pdns.conf-dist
+++ b/pdns/pdns.conf-dist
@@ -9,6 +9,11 @@
 #
 # allow-recursion=0.0.0.0/0
 
+#################################
+# any-to-tcp	Answer ANY queries with tc=1, shunting to TCP
+#
+# any-to-tcp=no
+
 #################################
 # cache-ttl	Seconds to store packets in the PacketCache
 #