1
--- deadwood-3.2.01/src/DwUdpSocket.c 2012-02-11 14:15:43.000000000 -0600
2
+++ deadwood-3.2.02/src/DwUdpSocket.c 2012-02-12 12:38:07.000000000 -0600
6
extern int num_retries;
7
+extern int32_t max_ttl;
9
/* Other mararc parameters */
10
extern dwd_dict *blacklist_dict;
13
answer = dw_packet_to_cache(packet,count,is_nxdomain);
14
decomp = dwc_decompress(question,answer);
16
+ goto catch_cache_dns_reply;
18
if(dwc_has_bad_ip(decomp,blacklist_dict)) {
19
ret = -2; /* Tell caller we need synth "not there" */
20
goto catch_cache_dns_reply;
29
/* Routines in DwRecurse.c process the packet and let us know
30
* what kind of packet we got upstream (so we know how to
31
--- deadwood-3.2.01/src/DwMararc.h 2012-02-11 14:15:43.000000000 -0600
32
+++ deadwood-3.2.02/src/DwMararc.h 2012-02-12 12:34:20.000000000 -0600
34
-/* Copyright (c) 2007-2011 Sam Trenholme
35
+/* Copyright (c) 2007-2012 Sam Trenholme
40
#define DWM_N_truncation_hack 26
41
#define DWM_N_reject_ptr 27
42
#define DWM_N_min_ttl_incomplete_cname 28
43
+#define DWM_N_max_ttl 29
45
/* Number of string parameters in the mararc file */
47
/* Number of dictionary parameters in the mararc file */
49
/* Number of numeric parameters in the mararc file */
50
-#define KEY_N_COUNT 29
51
+#define KEY_N_COUNT 30
54
/* Location of files we read when we run execfile("foo") */
56
synthetic "not there" reply */
57
"min_ttl_incomplete_cname", /* How long to store incomplete CNAME
58
* records in the cache, in seconds */
59
+ "max_ttl", /* Maximum allowed TTL */
63
--- deadwood-3.2.01/src/DwRecurse.c 2012-02-11 14:15:43.000000000 -0600
64
+++ deadwood-3.2.02/src/DwRecurse.c 2012-02-12 12:36:27.000000000 -0600
66
-/* Copyright (c) 2009-2011 Sam Trenholme
67
+/* Copyright (c) 2009-2012 Sam Trenholme
73
extern u_long dont_block;
75
+/* Numeric mararc parameters */
76
+extern int32_t max_ttl;
79
/* Show a single character on the standard output, escaping the
81
* an hour for security reasons */
87
dw_put_u16(place, 65395, -1); /* Add "NS refer" private RR type */
88
dwh_add(cache,place,action,ttl,1);
97
/*ttl = 30; // DEBUG*/
98
uncomp = dwx_create_cname_reply(query, action, answer, ttl);
99
comp = dwc_compress(query, uncomp);
100
@@ -2088,6 +2096,12 @@
101
if(ttl < key_n[DWM_N_min_ttl_incomplete_cname]) {
102
ttl = key_n[DWM_N_min_ttl_incomplete_cname];
107
+ if(ttl > max_ttl) {
110
cname_cache=dw_copy(query);
111
if(cname_cache == 0 || cname_cache->len < 3 ||
112
dw_put_u16(cname_cache, 65394, -3) == -1) {
113
@@ -2164,6 +2178,13 @@
114
goto catch_dwx_cache_reply;
120
+ if(ttl > max_ttl) {
124
bailiwick = dw_get_dname(rem[connection_number].ns->str, 0, 260);
125
if(bailiwick == 0 || bailiwick->len > 256) {
126
goto catch_dwx_cache_reply;
127
--- deadwood-3.2.01/src/DwMararc.c 2012-02-11 14:15:43.000000000 -0600
128
+++ deadwood-3.2.02/src/DwMararc.c 2012-02-12 12:34:20.000000000 -0600
130
key_n[DWM_N_truncation_hack] = 1;
131
key_n[DWM_N_reject_ptr] = 0;
132
key_n[DWM_N_min_ttl_incomplete_cname] = 3600;
133
+ key_n[DWM_N_max_ttl] = 86400;
136
/* Look for a Mararc parameter; -1 if not found/error; 0-n if found
137
--- deadwood-3.2.01/src/DwSocket.c 2012-02-11 14:15:43.000000000 -0600
138
+++ deadwood-3.2.02/src/DwSocket.c 2012-02-12 12:34:20.000000000 -0600
140
int32_t num_ports = 4096;
141
int32_t maradns_uid = 99;
142
int32_t maradns_gid = 99;
143
+int32_t max_ttl = 86400;
145
dwd_dict *blacklist_dict = 0;
148
maradns_gid = get_key_n(DWM_N_maradns_gid,10,65535,99);
149
resurrections = get_key_n(DWM_N_resurrections,0,1,1);
150
num_retries = get_key_n(DWM_N_num_retries,0,32,5);
151
+ max_ttl = get_key_n(DWM_N_max_ttl,
152
+ 300 /* 5 minutes */,
153
+ 7776000 /* 90 days */,
154
+ 86400 /* One day */);
156
if((num_ports & (num_ports - 1)) != 0) {
157
dw_fatal("num_ports must be a power of 2");
158
--- deadwood-3.2.01/doc/Deadwood.ej 2012-02-11 14:15:43.000000000 -0600
159
+++ deadwood-3.2.02/doc/Deadwood.ej 2012-02-12 12:34:20.000000000 -0600
162
The default value is 8.
165
+The maximum amount of time we will keep an entry in the cache, in seconds.
169
+This is the longest we will keep an entry cached. The default value for
170
+this parameter is 86400 (one day); the minimum value is 300 (5 minutes) and
171
+the maximum value this can have is 7776000 (90 days).
175
+The reason why this parameter is here is to protect Deadwood from attacks
176
+which exploit there being stale data in the cache, such as the
177
+"Ghost Domain Names" attack.
179
<h2>maximum_cache_elements</h2>
180
The maximum number of elements our cache
181
is allowed to have. This is a number between 32 and 16,777,216;
182
--- deadwood-3.2.01/doc/dwood3rc-all 2012-02-11 14:15:43.000000000 -0600
183
+++ deadwood-3.2.02/doc/dwood3rc-all 2012-02-12 12:34:20.000000000 -0600
185
# Maximum number of TCP connections. tcp_listen also must be set.
188
+# Maximum time an entry will stay in the cache, in seconds (86400 = one day)
191
# The number of times we retry to send a query upstream before giving up.