From: Peter van Dijk <peter.van.dijk@netherlabs.nl>
Date: Tue, 5 Nov 2013 12:53:02 +0000 (+0100)
Subject: adopt any-to-tcp feature to the recursor. Based on a patch by Winfried Angele. Closes... 
X-Git-Tag: rec-3.6.0-rc1~353
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e661a20b49162eb2ca1ecd157216beaa6450fc49;p=pdns

adopt any-to-tcp feature to the recursor. Based on a patch by Winfried Angele. Closes #836
---

diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml
index ab0ce7dbd..79cdf36d4 100755
--- a/pdns/docs/pdns.xml
+++ b/pdns/docs/pdns.xml
@@ -14109,6 +14109,15 @@ sql> insert into domainmetadata (domain_id, kind, content) values (6, 'TSIG-ALLO
 	      </para>
 	    </listitem>
 	  </varlistentry>
+          <varlistentry>
+            <term>any-to-tcp | any-to-tcp=yes | any-to-tcp=no</term>
+            <listitem>
+              <para>
+                Answer questions for the ANY type on UDP with a truncated packet that refers the
+                remote server to TCP. Useful for mitigating ANY reflection attacks. Defaults to off.
+              </para>
+            </listitem>
+          </varlistentry>
 	  <varlistentry>
 	    <term>dont-query</term>
 	    <listitem>
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 6dd47297e..3d300257a 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -75,6 +75,7 @@ __thread unsigned int t_id;
 unsigned int g_maxTCPPerClient;
 unsigned int g_networkTimeoutMsec;
 bool g_logCommonErrors;
+bool g_anyToTcp;
 __thread shared_ptr<RecursorLua>* t_pdl;
 __thread RemoteKeeper* t_remotes;
 __thread shared_ptr<Regex>* t_traceRegex;
@@ -512,6 +513,11 @@ void startDoResolve(void *p)
     pw.getHeader()->id=dc->d_mdp.d_header.id;
     pw.getHeader()->rd=dc->d_mdp.d_header.rd;
 
+    if(dc->d_mdp.d_qtype==QType::ANY && !dc->d_tcp && g_anyToTcp) {
+      pw.getHeader()->tc=1;
+      goto sendit;
+    }
+
     SyncRes sr(dc->d_now);
     bool tracedQuery=false; // we could consider letting Lua know about this too
     if(t_traceRegex->get() && (*t_traceRegex)->match(dc->d_mdp.d_qname)) {
@@ -1779,6 +1785,8 @@ int serviceMain(int argc, char*argv[])
  
     
   g_logCommonErrors=::arg().mustDo("log-common-errors");
+
+  g_anyToTcp = ::arg().mustDo("any-to-tcp");
   
   makeUDPServerSockets();
   makeTCPServerSockets();
@@ -2053,6 +2061,7 @@ int main(int argc, char **argv)
     ::arg().setSwitch( "disable-edns", "Disable EDNS - EXPERIMENTAL, LEAVE DISABLED" )= ""; 
     ::arg().setSwitch( "disable-packetcache", "Disable packetcache" )= "no"; 
     ::arg().setSwitch( "pdns-distributes-queries", "If PowerDNS itself should distribute queries over threads (EXPERIMENTAL)")="no";
+    ::arg().setSwitch( "any-to-tcp","Answer ANY queries with tc=1, shunting to TCP" )="no";
     ::arg().set("include-dir","Include *.conf files from this directory")="";
 
     ::arg().setCmd("help","Provide a helpful message");