From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 1/3 v2] Unbound: Enable DNS cache poisoning mitigation Date: Tue, 28 Aug 2018 13:27:36 +0100 Message-ID: <149f9cc4392f197d7203d54e42e7bcc5453b58fb.camel@ipfire.org> In-Reply-To: <8687e7a8-adb6-2ad8-e58f-1f6a3273e8ab@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9054075135053567723==" List-Id: --===============9054075135053567723== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit The list has only received v3... On Mon, 2018-08-27 at 17:45 +0200, Peter Müller wrote: > Yes, sorry. Submitted the whole thing again (without PGP the > second time). Please merge version 4 of the patchset. :-\ > > Best regards, > Peter Müller > > > This is only one patch of the whole patchset... > > > > On Sun, 2018-08-26 at 20:34 +0200, Peter Müller wrote: > > > By default, Unbound neither keeps track of the number of unwanted > > > replies nor initiates countermeasures if they become too large (DNS > > > cache poisoning). > > > This sets the maximum number of tolerated unwanted replies to > > > 1M, causing the cache to be flushed afterwards. (Upstream documentation > > > recommends 10M as a threshold, but this turned out to be ineffective > > > against attacks in the wild.) > > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for > > > details. This version of the patch uses 1M as threshold instead of > > > 5M and supersedes the first version. > > > Signed-off-by: Peter Müller > > > --- > > > config/unbound/unbound.conf | 3 +++ > > > 1 file changed, 3 insertions(+) > > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf > > > index 3f724d8f7..fa2ca3fd4 100644 > > > --- a/config/unbound/unbound.conf > > > +++ b/config/unbound/unbound.conf > > > @@ -61,6 +61,9 @@ server: > > > harden-algo-downgrade: no > > > use-caps-for-id: no > > > + # Harden against DNS cache poisoning > > > + unwanted-reply-threshold: 1000000 > > > + > > > # Listen on all interfaces > > > interface-automatic: yes > > > interface: 0.0.0.0 > > --===============9054075135053567723==--