studio/tuwunel
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Add config option to toggle dns case randomization.

Browse Source 
Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
2025-09-13 06:51:50 +00:00
parent e3a711482a
commit 69075b166f
3 changed files with 25 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/core/config/mod.rs
View File

@@ -385,6 +385,18 @@ pub struct Config {
#[serde(default)]
pub dns_passthru_appservices: bool,
/// Enable or disable case randomization for DNS queries. This is a security
/// mitigation where answer spoofing is prevented by having to exactly match
/// the question. Occasional errors seen in logs which may have lead you
/// here tend to be from overloading DNS. Nevertheless for servers which
/// are truly incapable this can be set to false.
///
/// This currently defaults to false due to user reports regarding some
/// popular DNS caches which may or may not be patched soon. It may again
/// default to true in an upcoming release.
#[serde(default)]
pub dns_case_randomization: bool,
/// Max request size for file uploads in bytes. Defaults to 20MB.
///
/// default: 20971520

2
src/service/resolver/dns.rs
View File

@@ -121,7 +121,7 @@ impl Resolver {
opts.try_tcp_on_error = config.dns_tcp_fallback;
opts.num_concurrent_reqs = 1;
opts.edns0 = true;
opts.case_randomization = true;
opts.case_randomization = config.dns_case_randomization;
opts.preserve_intermediates = true;
opts.ip_strategy = match config.ip_lookup_strategy {
| 1 => LookupIpStrategy::Ipv4Only,

12
tuwunel-example.toml
View File

@@ -302,6 +302,18 @@
#
#dns_passthru_appservices = false
# Enable or disable case randomization for DNS queries. This is a security
# mitigation where answer spoofing is prevented by having to exactly match
# the question. Occasional errors seen in logs which may have lead you
# here tend to be from overloading DNS. Nevertheless for servers which
# are truly incapable this can be set to false.
#
# This currently defaults to false due to user reports regarding some
# popular DNS caches which may or may not be patched soon. It may again
# default to true in an upcoming release.
#
#dns_case_randomization = false
# Max request size for file uploads in bytes. Defaults to 20MB.
#
#max_request_size = 20971520