In doh2 mode, the response is Wrong

CZ-NIC / knot-resolver

Knot Resolver - resolve DNS names like it's 2024

https://www.knot-resolver.cz/

Other

362 stars 59 forks source link

In doh2 mode, the response is Wrong #79

Closed ShipeiXu closed 2 years ago

ShipeiXu commented 2 years ago

As shown below, The addition area of the response packet is very large. has a lot of padding bytes

ShipeiXu commented 2 years ago

config:

vcunat commented 2 years ago

Yes, that's not wrong, it's an intentional privacy feature. The main point of the DoH standard was privacy, and message size is a part of that.

You can find more information about padding around RFCs like https://www.rfc-editor.org/rfc/rfc8467.html

ShipeiXu commented 2 years ago

Bug，this increases the amplification attack。

vcunat commented 2 years ago

Amplification is only considered for reflection attacks, i.e. when source address is spoofed to another network path. That is not possible with DoH (or DoT).

vcunat commented 2 years ago

I forgot to say, the padding is configurable: https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-net_tlssrv.html#net.tls_padding