From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= Date: Fri, 24 Sep 2021 09:35:11 +0200 Subject: Disable lame-ttl cache The lame-ttl cache is implemented in ADB as per-server locked linked-list "indexed" with . This list has to be walked every time there's a new query or new record added into the lame cache. Determined attacker can use this to degrade performance of the resolver. Resolver testing has shown that disabling the lame cache has little impact on the resolver performance and it's a minimal viable defense against this kind of attack. --- bin/named/config.c | 2 +- bin/named/server.c | 8 ++++++-- doc/arm/Bv9ARM-book.xml | 9 +++------ 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/bin/named/config.c b/bin/named/config.c index d22ee4b..ba5fa8a 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -170,7 +170,7 @@ options {\n\ #ifdef HAVE_GEOIP " geoip-use-ecs yes;\n" #endif -" lame-ttl 600;\n" +" lame-ttl 0;\n" #ifdef HAVE_LMDB " lmdb-mapsize 32M;\n" #endif diff --git a/bin/named/server.c b/bin/named/server.c index 149458e..748a150 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -3971,8 +3971,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, result = ns_config_get(maps, "lame-ttl", &obj); INSIST(result == ISC_R_SUCCESS); lame_ttl = cfg_obj_asuint32(obj); - if (lame_ttl > 1800) - lame_ttl = 1800; + if (lame_ttl > 0) { + cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING, + "disabling lame cache despite lame-ttl > 0 as it " + "may cause performance issues"); + lame_ttl = 0; + } dns_resolver_setlamettl(view->resolver, lame_ttl); /* diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 4b36bd0..7852b5a 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -8855,12 +8855,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; lame-ttl - Sets the number of seconds to cache a - lame server indication. 0 disables caching. (This is - NOT recommended.) - The default is 600 (10 minutes) and the - maximum value is - 1800 (30 minutes). + This is always set to 0. More information is available + in the security advisory for CVE-2021-25219.