mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage (#1010)
* Mention REFUSED with TC with unmatched allow_cookie acl in manpage Also moved the part about bypassing ip-ratelimit to the ip-ratelimit description as it will be bypassed with a valid DNS-Cookie regardless of the allow_cookie acl. * Apply suggestions from code review * Update doc/unbound.conf.5.in * DNS-Cookies should bypass ip-ratelimit setting
This commit is contained in:
parent
be27499d39
commit
e1229e375f
@ -1327,15 +1327,6 @@ deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
|
||||
worker, repinfo, acladdr, ede, check_result);
|
||||
}
|
||||
|
||||
/* Returns 1 if the ip rate limit check can happen before EDNS parsing,
|
||||
* else 0 */
|
||||
static int
|
||||
pre_edns_ip_ratelimit_check(enum acl_access acl)
|
||||
{
|
||||
if(acl == acl_allow_cookie) return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Check if the query is blocked by source IP rate limiting.
|
||||
* Returns 1 if it passes the check, 0 otherwise. */
|
||||
static int
|
||||
@ -1499,7 +1490,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
}
|
||||
|
||||
worker->stats.num_queries++;
|
||||
pre_edns_ip_ratelimit = pre_edns_ip_ratelimit_check(acl);
|
||||
pre_edns_ip_ratelimit = !worker->env.cfg->do_answer_cookie
|
||||
|| sldns_buffer_limit(c->buffer) < LDNS_HEADER_SIZE
|
||||
|| LDNS_ARCOUNT(sldns_buffer_begin(c->buffer)) == 0;
|
||||
|
||||
/* If the IP rate limiting check needs extra EDNS information (e.g.,
|
||||
* DNS Cookies) postpone the check until after EDNS is parsed. */
|
||||
|
@ -744,7 +744,7 @@ the cache contents (for malicious acts). However, nonrecursive queries can
|
||||
also be a valuable debugging tool (when you want to examine the cache
|
||||
contents). In that case use \fIallow_snoop\fR for your administration host.
|
||||
.IP
|
||||
The \fIallow_cookie\fR action allows access to UDP queries that contain a
|
||||
The \fIallow_cookie\fR action allows access only to UDP queries that contain a
|
||||
valid DNS Cookie as specified in RFC 7873 and RFC 9018, when the
|
||||
\fBanswer\-cookie\fR option is enabled.
|
||||
UDP queries containing only a DNS Client Cookie and no Server Cookie, or an
|
||||
@ -753,10 +753,8 @@ generated DNS Cookie, allowing clients to retry with that DNS Cookie.
|
||||
The \fIallow_cookie\fR action will also accept requests over stateful
|
||||
transports, regardless of the presence of an DNS Cookie and regardless of the
|
||||
\fBanswer\-cookie\fR setting.
|
||||
If \fBip\-ratelimit\fR is used, clients with a valid DNS Cookie will bypass the
|
||||
ratelimit.
|
||||
If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
|
||||
can be used instead.
|
||||
UDP queries without a DNS Cookie receive REFUSED responses with the TC flag set,
|
||||
that may trigger fall back to TCP for those clients.
|
||||
.IP
|
||||
By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
|
||||
The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
|
||||
@ -1850,6 +1848,9 @@ The ratelimit is in queries per second that are allowed. More queries are
|
||||
completely dropped and will not receive a reply, SERVFAIL or otherwise.
|
||||
IP ratelimiting happens before looking in the cache. This may be useful for
|
||||
mitigating amplification attacks.
|
||||
Clients with a valid DNS Cookie will bypass the ratelimit.
|
||||
If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
|
||||
can be used instead.
|
||||
Default is 0 (disabled).
|
||||
.TP 5
|
||||
.B ip\-ratelimit\-cookie: \fI<number or 0>
|
||||
|
Loading…
Reference in New Issue
Block a user