1. 05 Oct, 2020 1 commit
    • Ondřej Surý's avatar
      Simplify the EDNS buffer size logic for DNS Flag Day 2020 · bb990030
      Ondřej Surý authored
      The DNS Flag Day 2020 aims to remove the IP fragmentation problem from
      the UDP DNS communication.  In this commit, we implement the required
      changes and simplify the logic for picking the EDNS Buffer Size.
      1. The defaults for `edns-udp-size`, `max-udp-size` and
         `nocookie-udp-size` have been changed to `1232` (the value picked by
         DNS Flag Day 2020).
      2. The probing heuristics that would try 512->4096->1432->1232 buffer
         sizes has been removed and the resolver will always use just the
         `edns-udp-size` value.
      3. Instead of just disabling the PMTUD mechanism on the UDP sockets, we
         now set IP_DONTFRAG (IPV6_DONTFRAG) flag.  That means that the UDP
         packets won't get ever fragmented.  If the ICMP packets are lost the
         UDP will just timeout and eventually be retried over TCP.
  2. 14 Sep, 2020 1 commit
  3. 19 May, 2020 1 commit
  4. 21 Feb, 2020 1 commit
  5. 13 Feb, 2020 2 commits
    • Evan Hunt's avatar
      apply the modified style · e851ed0b
      Evan Hunt authored
    • Ondřej Surý's avatar
      Use clang-tidy to add curly braces around one-line statements · 056e133c
      Ondřej Surý authored
      The command used to reformat the files in this commit was:
      ./util/run-clang-tidy \
      	-clang-tidy-binary clang-tidy-11
      	-clang-apply-replacements-binary clang-apply-replacements-11 \
      	-checks=-*,readability-braces-around-statements \
      	-j 9 \
      	-fix \
      	-format \
      	-style=file \
      clang-format -i --style=format $(git ls-files '*.c' '*.h')
      uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h')
      clang-format -i --style=format $(git ls-files '*.c' '*.h')
  6. 12 Feb, 2020 1 commit
  7. 23 Oct, 2018 2 commits
  8. 08 Aug, 2018 2 commits
  9. 11 May, 2018 1 commit
  10. 06 Apr, 2018 1 commit
  11. 23 Feb, 2018 1 commit
  12. 30 Dec, 2016 1 commit
  13. 27 Jun, 2016 1 commit
  14. 09 Jul, 2015 1 commit
    • Evan Hunt's avatar
      [master] DDoS mitigation features · 1479200a
      Evan Hunt authored
      3938.	[func]		Added quotas to be used in recursive resolvers
      			that are under high query load for names in zones
      			whose authoritative servers are nonresponsive or
      			are experiencing a denial of service attack.
      			- "fetches-per-server" limits the number of
      			  simultaneous queries that can be sent to any
      			  single authoritative server.  The configured
      			  value is a starting point; it is automatically
      			  adjusted downward if the server is partially or
      			  completely non-responsive. The algorithm used to
      			  adjust the quota can be configured via the
      			  "fetch-quota-params" option.
      			- "fetches-per-zone" limits the number of
      			  simultaneous queries that can be sent for names
      			  within a single domain.  (Note: Unlike
      			  "fetches-per-server", this value is not
      			- New stats counters have been added to count
      			  queries spilled due to these quotas.
      			See the ARM for details of these options. [RT #37125]
  15. 07 Jul, 2015 1 commit
  16. 05 Jul, 2015 1 commit
    • Mark Andrews's avatar
      4152. [func] Implement DNS COOKIE option. This replaces the · ce67023a
      Mark Andrews authored
                              experimental SIT option of BIND 9.10.  The following
                              named.conf directives are avaliable: send-cookie,
                              cookie-secret, cookie-algorithm and nocookie-udp-size.
                              The following dig options are available:
                              +[no]cookie[=value] and +[no]badcookie.  [RT #39928]
  17. 20 Nov, 2014 1 commit
  18. 18 Nov, 2014 1 commit
    • Evan Hunt's avatar
      [master] limit recursion depth and iterative queries · 3230429e
      Evan Hunt authored
      4006.	[security]	A flaw in delegation handling could be exploited
      			to put named into an infinite loop.  This has
      			been addressed by placing limits on the number
      			of levels of recursion named will allow (default 7),
      			and the number of iterative queries that it will
      			send (default 50) before terminating a recursive
      			query (CVE-2014-8500).
      			The recursion depth limit is configured via the
      			"max-recursion-depth" option.  [RT #35780]
  19. 06 Aug, 2014 1 commit
  20. 21 May, 2014 1 commit
  21. 19 Feb, 2014 2 commits
    • Mark Andrews's avatar
      update copyrights · e676a596
      Mark Andrews authored
    • Mark Andrews's avatar
      3744. [experimental] SIT: send and process Source Identity Tokens · b5f6271f
      Mark Andrews authored
                              (which are similar to DNS Cookies by Donald Eastlake)
                              and are designed to help clients detect off path
                              spoofed responses and for servers to detect legitimate
                              SIT use a experimental EDNS option code (65001).
                              SIT can be enabled via --enable-developer or
                              --enable-sit.  It is on by default in Windows.
                              RRL processing as been updated to know about SIT with
                              legitimate clients not being rate limited. [RT #35389]
  22. 26 Jun, 2013 1 commit
    • Evan Hunt's avatar
      [master] "rndc flushtree -all <name>" · 9fa5a723
      Evan Hunt authored
      3606.	[func]		"rndc flushtree -all" flushes matching
      			records in the ADB and bad cache as well as
      			the DNS cache.  (Without the "-all" option,
      			flushtree will still only flush records from
      			the DNS cache.) [RT #33970]
  23. 12 Jun, 2013 1 commit
  24. 22 Mar, 2013 1 commit
    • Evan Hunt's avatar
      [master] add DSCP support · 67adc03e
      Evan Hunt authored
      3535.	[func]		Add support for setting Differentiated Services Code
      			Point (DSCP) values in named.  Most configuration
      			options which take a "port" option (e.g.,
      			listen-on, forwarders, also-notify, masters,
      			notify-source, etc) can now also take a "dscp"
      			option specifying a code point for use with
      			outgoing traffic, if supported by the underlying
      			OS. [RT #27596]
  25. 28 Feb, 2013 2 commits
    • Mark Andrews's avatar
      update copyrights · 8e5fce1f
      Mark Andrews authored
    • Evan Hunt's avatar
      [master] accept >4g max-{,a}cache-size · 2a184ff8
      Evan Hunt authored
      3506.	[func]		When setting "max-cache-size" and "max-acache-size",
      			the keyword "unlimited" is no longer defined as equal
      			to 4 gigabytes (except on 32-bit platforms); it
      			means literally unlimited. [RT #32358]
      3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
      			larger values than 4 gigabytes could not be set
      			explicitly, though larger sizes were available
      			when setting cache size to 0. This has been
      			corrected; the full range is now available.
      			[RT #32358]
  26. 05 Dec, 2011 1 commit
  27. 27 Oct, 2011 2 commits
  28. 03 Apr, 2008 2 commits
  29. 19 Jun, 2007 1 commit
  30. 18 Jun, 2007 1 commit
  31. 22 Dec, 2006 2 commits
  32. 23 Jun, 2005 1 commit