IP_PMTUDISC_OMIT on IPv4/UDP for mitigating fragment attack
Linux 3.15 introduced a new socket option IP_PMTUDISC_OMIT which makes sockets ignore PMTU information and send packets with DF=0. With this sockopt fragmentation is allowed if and only if the packet size exceeds the outgoing interface MTU or the packet encounters smaller MTU link in network.
By preventing forged PMTU information, setting IP_PMTUDISC_OMIT (instead of IP_PMTUDISC_DONT) to DNS responder's IPv4/UDP socket mitigates DNS fragmentation attacks . Some DNS implementations already have this feature .
Patches for knot-2.7.6 and 2.8.0 to set IP_PMTUDISC_OMIT to IPv4/UDP sockets (if available) attached.
 Linux kernel introduced IP*_PMTUDISC_OMIT https://lists.openwall.net/netdev/2014/02/26/4
 IP fragmentation attack on DNS https://ripe67.ripe.net/presentations/240-ipfragattack.pdf
 Unbound 1.5.0 introduced this feature. https://github.com/NLnetLabs/unbound/commit/470b7bda8763c36a7db255d1d981f3ae06d41ba0
 BIND 9.9.10 introduced this feature. https://www.isc.org/blogs/bind-april-2017/
 NSD 4.1.27 will introduce this feature https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4235