* [PATCH 1/3 v2] Unbound: Enable DNS cache poisoning mitigation
@ 2018-08-26 18:34 Peter Müller
2018-08-27 6:35 ` Michael Tremer
0 siblings, 1 reply; 5+ messages in thread
From: Peter Müller @ 2018-08-26 18:34 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1107 bytes --]
By default, Unbound neither keeps track of the number of unwanted
replies nor initiates countermeasures if they become too large (DNS
cache poisoning).
This sets the maximum number of tolerated unwanted replies to
1M, causing the cache to be flushed afterwards. (Upstream documentation
recommends 10M as a threshold, but this turned out to be ineffective
against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
details. This version of the patch uses 1M as threshold instead of
5M and supersedes the first version.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
config/unbound/unbound.conf | 3 +++
1 file changed, 3 insertions(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 3f724d8f7..fa2ca3fd4 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -61,6 +61,9 @@ server:
harden-algo-downgrade: no
use-caps-for-id: no
+ # Harden against DNS cache poisoning
+ unwanted-reply-threshold: 1000000
+
# Listen on all interfaces
interface-automatic: yes
interface: 0.0.0.0
--
2.16.4
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/3 v2] Unbound: Enable DNS cache poisoning mitigation
2018-08-26 18:34 [PATCH 1/3 v2] Unbound: Enable DNS cache poisoning mitigation Peter Müller
@ 2018-08-27 6:35 ` Michael Tremer
2018-08-27 15:45 ` Peter Müller
0 siblings, 1 reply; 5+ messages in thread
From: Michael Tremer @ 2018-08-27 6:35 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2146 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
This is only one patch of the whole patchset...
On Sun, 2018-08-26 at 20:34 +0200, Peter Müller wrote:
> By default, Unbound neither keeps track of the number of unwanted
> replies nor initiates countermeasures if they become too large (DNS
> cache poisoning).
>
> This sets the maximum number of tolerated unwanted replies to
> 1M, causing the cache to be flushed afterwards. (Upstream documentation
> recommends 10M as a threshold, but this turned out to be ineffective
> against attacks in the wild.)
>
> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
> details. This version of the patch uses 1M as threshold instead of
> 5M and supersedes the first version.
>
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
> config/unbound/unbound.conf | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> index 3f724d8f7..fa2ca3fd4 100644
> --- a/config/unbound/unbound.conf
> +++ b/config/unbound/unbound.conf
> @@ -61,6 +61,9 @@ server:
> harden-algo-downgrade: no
> use-caps-for-id: no
>
> + # Harden against DNS cache poisoning
> + unwanted-reply-threshold: 1000000
> +
> # Listen on all interfaces
> interface-automatic: yes
> interface: 0.0.0.0
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAluDm6UACgkQgHnw/2+Q
CQfxrA/+MDOfqsG6FYQTe5WvQbKXkbI2TKJVlCUm7fzhoKPTdBNioKe9l0zPGJpw
r1JWtFCXe1P3W3OP6uTWecMMUCbTOkqhHFGwkQ77tc43incK5rBdxKea7dqRmcg1
6oTau2b7iYzQZbjH1imZBvjrqMRTCWJEIlLU5ZJA42L0RUbmY83PIi67QNsa4BcP
UTRWPnoZF8eO5xe5hpQtctXyufyDqU562GdwkJ1Zvt2Tq2qC7+f8FUz22lD3YAiZ
E7FAs6RsxCBBtvdPlXoDiiCRcoLtlIXi00JqQ1qG3sCdgauOYOAjxu353AVtiAEf
DQdNdk5Qotnz8pTwjlR4o8FAIbMsk+neoWSJiVmMB3A1xV7dQDHnDkaZ2Z/ULT3Y
Pkxgx7L/KAdKmy7OnY8drZm0FHOOKaxFPCmEK+kdTdqdzEUmWSjiQ8BiwSDgrNMW
igBC01N6R35F8Kpf9a6YfVCQfG5mY0KmWsyM/67aygCIRf8Znlm6+6ZOmtVvAuAs
3nsta9oC0JgAkX/tcLZWO9eUnlhHDozU4Y4PoYX0ys5iNONhnTwp/er714+78/an
y8P2ZBMrHr0SwC17OU2KrJPoAaTjOyzJGCcIsYbO80ZN2XJFKD1BPm7HMs4gv/2B
Pvq6eZ3gKsCswfdJdMsHZYpRf1G+QUQnpxvWyqU76FRCOh3HkR4=
=2zwX
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/3 v2] Unbound: Enable DNS cache poisoning mitigation
2018-08-27 6:35 ` Michael Tremer
@ 2018-08-27 15:45 ` Peter Müller
2018-08-28 12:27 ` Michael Tremer
0 siblings, 1 reply; 5+ messages in thread
From: Peter Müller @ 2018-08-27 15:45 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1637 bytes --]
Yes, sorry. Submitted the whole thing again (without PGP the
second time). Please merge version 4 of the patchset. :-\
Best regards,
Peter Müller
> This is only one patch of the whole patchset...
>
> On Sun, 2018-08-26 at 20:34 +0200, Peter Müller wrote:
>> By default, Unbound neither keeps track of the number of unwanted
>> replies nor initiates countermeasures if they become too large (DNS
>> cache poisoning).
>
>> This sets the maximum number of tolerated unwanted replies to
>> 1M, causing the cache to be flushed afterwards. (Upstream documentation
>> recommends 10M as a threshold, but this turned out to be ineffective
>> against attacks in the wild.)
>
>> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
>> details. This version of the patch uses 1M as threshold instead of
>> 5M and supersedes the first version.
>
>> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
>> ---
>> config/unbound/unbound.conf | 3 +++
>> 1 file changed, 3 insertions(+)
>
>> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
>> index 3f724d8f7..fa2ca3fd4 100644
>> --- a/config/unbound/unbound.conf
>> +++ b/config/unbound/unbound.conf
>> @@ -61,6 +61,9 @@ server:
>> harden-algo-downgrade: no
>> use-caps-for-id: no
>
>> + # Harden against DNS cache poisoning
>> + unwanted-reply-threshold: 1000000
>> +
>> # Listen on all interfaces
>> interface-automatic: yes
>> interface: 0.0.0.0
>
--
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made. Fix Information: Run your DNS
service on a different platform.
-- bugtraq
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/3 v2] Unbound: Enable DNS cache poisoning mitigation
2018-08-27 15:45 ` Peter Müller
@ 2018-08-28 12:27 ` Michael Tremer
2018-08-28 15:14 ` Peter Müller
0 siblings, 1 reply; 5+ messages in thread
From: Michael Tremer @ 2018-08-28 12:27 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1625 bytes --]
The list has only received v3...
On Mon, 2018-08-27 at 17:45 +0200, Peter Müller wrote:
> Yes, sorry. Submitted the whole thing again (without PGP the
> second time). Please merge version 4 of the patchset. :-\
>
> Best regards,
> Peter Müller
>
> > This is only one patch of the whole patchset...
> >
> > On Sun, 2018-08-26 at 20:34 +0200, Peter Müller wrote:
> > > By default, Unbound neither keeps track of the number of unwanted
> > > replies nor initiates countermeasures if they become too large (DNS
> > > cache poisoning).
> > > This sets the maximum number of tolerated unwanted replies to
> > > 1M, causing the cache to be flushed afterwards. (Upstream documentation
> > > recommends 10M as a threshold, but this turned out to be ineffective
> > > against attacks in the wild.)
> > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
> > > details. This version of the patch uses 1M as threshold instead of
> > > 5M and supersedes the first version.
> > > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> > > ---
> > > config/unbound/unbound.conf | 3 +++
> > > 1 file changed, 3 insertions(+)
> > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> > > index 3f724d8f7..fa2ca3fd4 100644
> > > --- a/config/unbound/unbound.conf
> > > +++ b/config/unbound/unbound.conf
> > > @@ -61,6 +61,9 @@ server:
> > > harden-algo-downgrade: no
> > > use-caps-for-id: no
> > > + # Harden against DNS cache poisoning
> > > + unwanted-reply-threshold: 1000000
> > > +
> > > # Listen on all interfaces
> > > interface-automatic: yes
> > > interface: 0.0.0.0
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/3 v2] Unbound: Enable DNS cache poisoning mitigation
2018-08-28 12:27 ` Michael Tremer
@ 2018-08-28 15:14 ` Peter Müller
0 siblings, 0 replies; 5+ messages in thread
From: Peter Müller @ 2018-08-28 15:14 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 551 bytes --]
I'm sorry, v3 is what I meant here...
> The list has only received v3...
>
> On Mon, 2018-08-27 at 17:45 +0200, Peter Müller wrote:
>> Yes, sorry. Submitted the whole thing again (without PGP the
>> second time). Please merge version 4 of the patchset. :-\
>>
>> Best regards,
>> Peter Müller
>>
>>> This is only one patch of the whole patchset...
>>> [snip]--
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made. Fix Information: Run your DNS
service on a different platform.
-- bugtraq
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-08-28 15:14 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-26 18:34 [PATCH 1/3 v2] Unbound: Enable DNS cache poisoning mitigation Peter Müller
2018-08-27 6:35 ` Michael Tremer
2018-08-27 15:45 ` Peter Müller
2018-08-28 12:27 ` Michael Tremer
2018-08-28 15:14 ` Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox