Self-DoS/forwarding loop
#1938
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
-
Output of the following commands:
Version 2.1.1
How do we replicate the issue?
echo "localhost 127.0.0.1" >> /etc/dnscrypt-proxy/forwarding.confecho "nameserver 127.0.0.1" > /etc/resolv.confdig localhost @127.0.0.1Actual behavior (i.e. the problem)
A single DNS request is enough to put dnscrypt-proxy in an infinite forwarding loop to the point where it disrupt services and it can’t answer other queries.
Expected behavior (i.e. solution)
Detect the resolution loop and return a SERVFAIL response.
Other Comments
Since this is a forwarding gone wrong, it’s easier to detect than a normal loop. When n identical queries from the same source match a forwarding rule in a short time interval , send a TXT request to
_someuniqueid.forwarding-hostto that forwarding server. If that same request is received by the server, then stop all lookups via the affected forwarding chain (or maybe just requests matching the request that triggered the _someuniqueid) for a second or two to break the loop.Beta Was this translation helpful? Give feedback.
All reactions