Skip to content

Instantly share code, notes, and snippets.

@ahupowerdns

ahupowerdns/stop-cve-2015-7547-with-powerdns-recursor.md

Last active July 18, 2024 18:00
Show Gist options
  • Save ahupowerdns/0f7de247dd200dea41bf to your computer and use it in GitHub Desktop.
Save ahupowerdns/0f7de247dd200dea41bf to your computer and use it in GitHub Desktop.
Download ZIP
Raw
stop-cve-2015-7547-with-powerdns-recursor.md

CVE-2015-7547 mitigation script

In response to CVE-2015-7547, we are developing this Lua script which should protect your users, at a slight risk of disrupting specific queries which naturally deliver very large responses.

Run the script below by setting: lua-dns-script=stop-cve-2015-7547.lua - or use rec_control reload-lua-script stop-cve-2015-7547.lua at runtime.

Please continue to check this page for updates.

function postresolve ( remoteip, domain, qtype, records, origrcode )
        local len=0
        for key,val in ipairs(records)
        do
                len = len + #val.qname + #val.content + 16
        end
        if(len < 2048) then
                return -1,{}
        else
                -- pdnslog("Protected "..remoteip.." against an overly large response of "..len.." bytes")
                return -2,{}
        end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment