The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
Created glibc tracking bugs for this issue:
Affects: fedora-all [bug 1477530]
This issue only affects systems which use a remote recursive resolver and enable EDNS0, either with the “edns0” option in /etc/resolv.conf, or using the RES_USE_EDNS0 or RES_USE_DNSSEC resolver flags. The underlying issue affects recursive resolvers such as BIND and Unbound as well, and has to be fixed separately there.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:0805 https://access.redhat.com/errata/RHSA-2018:0805