add -A flag.  with -A, Tall queries via udp are dropped.
this is attack / ddos prevention.  there are no known legit
uses of the Tall query, except for manual debugging.
writing udpnoall to /net*/dns toggles the value.

Reference: /n/atom/patch/applied2013/dnsudpnoall
Date: Tue Jun 25 22:31:57 CES 2013
Signed-off-by: quanstro@quanstro.net

--- /sys/src/cmd/ndb/dn.c	Tue Jun 25 22:30:15 2013
+++ /sys/src/cmd/ndb/dn.c	Tue Jun 25 22:30:17 2013
@@ -276,6 +276,7 @@
 		stats.negbdnoans);
 	fprint(fd, "# negative answers w no Rname set\t%lud\n", stats.negnorname);
 	fprint(fd, "# negative answers cached\t%lud\n", stats.negcached);
+	fprint(fd, "# udp all queries dropped\t%lud\t%lud\n", stats.alldrop);
 	qunlock(&stats);
 
 	lock(&dnlock);
--- /sys/src/cmd/ndb/dns.c	Tue Jun 25 22:30:19 2013
+++ /sys/src/cmd/ndb/dns.c	Tue Jun 25 22:30:20 2013
@@ -111,7 +111,7 @@
 void
 usage(void)
 {
-	fprint(2, "usage: %s [-deFnorRst] [-a maxage] [-f ndb-file] [-N target] "
+	fprint(2, "usage: %s [-AdeFnorRst] [-a maxage] [-f ndb-file] [-N target] "
 		"[-T forwip] [-x netmtpt] [-z refreshprog]\n", argv0);
 	exits("usage");
 }
@@ -131,6 +131,9 @@
 		if (maxage <= 0)
 			maxage = Defmaxage;
 		break;
+	case 'A':
+		cfg.udpnoall ^= 1;
+		break;
 	case 'd':
 		debug = 1;
 		traceactivity = 1;
@@ -760,7 +763,9 @@
 	else if(strncmp(job->request.data, "target ", 7)==0){
 		target = atol(job->request.data + 7);
 		dnslog("target set to %ld", target);
-	} else
+	} else if(strcmp(job->request.data, "udpnoall")==0)
+		cfg.udpnoall ^= 1;
+	else
 		send = 0;
 	if (send)
 		goto send;
--- /sys/src/cmd/ndb/dns.h	Tue Jun 25 22:30:21 2013
+++ /sys/src/cmd/ndb/dns.h	Tue Jun 25 22:30:22 2013
@@ -403,6 +403,7 @@
 	int	serve;		/* flag: serve udp queries */
 	int	inside;
 	int	straddle;
+	int	udpnoall;
 };
 
 /* (udp) query stats */
@@ -427,6 +428,7 @@
 	ulong	negbdnoans;	/* ⋯ and no answers */
 	ulong	negnorname;	/* neg ans with no Rname set */
 	ulong	negcached;	/* neg ans cached */
+	ulong	alldrop;		/* neg ans cached */
 } Stats;
 
 Stats stats;
--- /sys/src/cmd/ndb/dnudpserver.c	Tue Jun 25 22:30:23 2013
+++ /sys/src/cmd/ndb/dnudpserver.c	Tue Jun 25 22:30:24 2013
@@ -216,6 +216,21 @@
 			goto freereq;
 		}
 
+		/*
+		 * emergency dns attack defense
+		 * rely on the fact that all queries are only used for debugging.
+		 * eat them as a kludgy way to mitigate attacks.
+		 */
+		if(cfg.udpnoall){
+			for(RR *rr = reqmsg.qd; rr != nil; rr = rr->next){
+				if(rr->type == Tall){
+					stats.alldrop++;
+					if(debug)
+						dnslog("server: udp all query dropped");
+					goto freereq;
+				}
+			}
+		}
 		if(debug || (trace && subsume(trace, reqmsg.qd->owner->name)))
 			dnslog("%d: serve (%I/%d) %d %s %s",
 				req.id, buf, uh->rport[0]<<8 | uh->rport[1],
--- /sys/man/8/ndb	Tue Jun 25 22:30:25 2013
+++ /sys/man/8/ndb	Tue Jun 25 22:30:27 2013
@@ -376,6 +376,13 @@
 .B -s
 also answer domain requests sent to UDP port 53.
 .TP
+.B -A
+ignore UDP queries type “all.”  This may be necessary
+to work around broken caches, or DNS based attacks.
+This value may be toggled by writing
+.L udpnoall
+to the query file.
+.TP
 .B -x
 specifies the mount point of the
 network.