IP_PMTUDISC_OMIT on IPv4/UDP for mitigating fragment attack

Linux 3.15 introduced a new socket option IP_PMTUDISC_OMIT[1] which makes sockets ignore PMTU information and send packets with DF=0. With this sockopt fragmentation is allowed if and only if the packet size exceeds the outgoing interface MTU or the packet encounters smaller MTU link in network.

By preventing forged PMTU information, setting IP_PMTUDISC_OMIT (instead of IP_PMTUDISC_DONT) to DNS responder's IPv4/UDP socket mitigates DNS fragmentation attacks [2]. Some DNS implementations already have this feature [3][4][5].

Patches for knot-2.7.6 and 2.8.0 to set IP_PMTUDISC_OMIT to IPv4/UDP sockets (if available) attached.

[1] Linux kernel introduced IP*_PMTUDISC_OMIT https://lists.openwall.net/netdev/2014/02/26/4

[2] IP fragmentation attack on DNS https://ripe67.ripe.net/presentations/240-ipfragattack.pdf

[3] Unbound 1.5.0 introduced this feature. https://github.com/NLnetLabs/unbound/commit/470b7bda8763c36a7db255d1d981f3ae06d41ba0

[4] BIND 9.9.10 introduced this feature. https://www.isc.org/blogs/bind-april-2017/

[5] NSD 4.1.27 will introduce this feature https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4235

knot-2.7.6-pmtudisc_omit.patch knot-2.8.0-pmtudisc_omit.patch

Admin message

Admin message

IP_PMTUDISC_OMIT on IPv4/UDP for mitigating fragment attack