DNS security, amplification attacks and recursion
kremels at kreme.com
Tue Jul 7 20:05:53 UTC 2020
On 07 Jul 2020, at 12:06, Michael De Roover <isc at nixmagic.com> wrote:
> On 7/7/20 4:06 PM, Tony Finch wrote:
>> max-udp-size 1420;
> Interesting, I wasn't aware of this campaign. I don't know if I'm knowledgeable enough on UDP to be able to make educated decisions on this myself but I look forward to its eventual release.
The URL has a good explanation of this setting and it looks like 1420 is a more than adequate packet size.
From the page:
An EDNS buffer size of 1232 bytes will avoid fragmentation on nearly all current networks. This is based on an MTU of 1280, which is required by the IPv6 specification, minus 48 bytes for the IPv6 and UDP headers.
Sunce 1420 is still well under the MTU on most connections (usually 1500, sometimes 1492) and well above the required, I suspect this is fine as well. I've gone ahead and added to to my named.conf with a comment linking to Tony's message.
"Are you pondering what I'm pondering?"
"I think so, Mr. Brain, but if the sun'll come out tomorrow, what's
it doing right now?"
More information about the bind-users