blob: 74bffe5103727374efd0ffb05a397a2f5407175b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
.. _mod-cookies:
``cookies`` — DNS Cookies
=========================
DNS Cookies (:rfc:`7873`) is a lightweight security mechanism against
denial-of-service and amplification attacks. The server keeps a secret value
(the Server Secret), which is used to generate a cookie, which is sent to
the client in the OPT RR. The server then verifies the authenticity of the client
by the presence of a correct cookie. Both the server and the client have to
support DNS Cookies, otherwise they are not used.
.. NOTE::
This module introduces two statistics counters:
- ``presence`` – The number of queries containing the COOKIE option.
- ``dropped`` – The number of dropped queries due to the slip limit.
.. WARNING::
For effective module operation the :ref:`RRL<mod-rrl>` module must also
be enabled and configured after :ref:`Cookies<mod-cookies>`. See
:ref:`query-modules` how to configure modules.
Example
-------
It is recommended to enable DNS Cookies globally, not per zone. The module may be used without any further configuration.
::
template:
- id: default
global-module: mod-cookies # Enable DNS Cookies globally
Module configuration may be supplied if necessary.
::
mod-cookies:
- id: default
secret-lifetime: 30h # The Server Secret is regenerated every 30 hours
badcookie-slip: 3 # The server replies only to every third query with a wrong cookie
template:
- id: default
global-module: mod-cookies/default # Enable DNS Cookies globally
The value of the Server Secret may also be managed manually using the :ref:`mod-cookies_secret` option. In this case
the server does not automatically regenerate the Server Secret.
::
mod-cookies:
- id: default
secret: 0xdeadbeefdeadbeefdeadbeefdeadbeef
Module reference
----------------
::
mod-cookies:
- id: STR
secret-lifetime: TIME
badcookie-slip: INT
secret: STR | HEXSTR
.. _mod-cookies_id:
id
..
A module identifier.
.. _mod-cookies_secret-lifetime:
secret-lifetime
...............
This option configures in seconds how often the Server Secret is regenerated.
The maximum allowed value is 36 days (:rfc:`7873#section-7.1`).
*Default:* ``26h`` (26 hours)
.. _mod-cookies_badcookie-slip:
badcookie-slip
..............
This option configures how often the server responds to queries containing
an invalid cookie by sending them the correct cookie.
- The value **1** means that the server responds to every query.
- The value **2** means that the server responds to every second query with
an invalid cookie, the rest of the queries is dropped.
- The value **N > 2** means that the server responds to every N\ :sup:`th`
query with an invalid cookie, the rest of the queries is dropped.
*Default:* ``1``
.. _mod-cookies_secret:
secret
......
Use this option to set the Server Secret manually. If this option is used, the
Server Secret remains the same until changed manually and the :ref:`mod-cookies_secret-lifetime` option is ignored.
The size of the Server Secret currently MUST BE 16 bytes, or 32 hexadecimal characters.
*Default:* not set
|
