[PATCH v4 1/3] Unbound: Enable DNS cache poisoning mitigation

[PATCH v4 1/3] Unbound: Enable DNS cache poisoning mitigation

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1117 bytes --]

By default, Unbound neither keeps track of the number of unwanted
replies nor initiates countermeasures if they become too large (DNS
cache poisoning).

This sets the maximum number of tolerated unwanted replies to
1M, causing the cache to be flushed afterwards. (Upstream documentation
recommends 10M as a threshold, but this turned out to be ineffective
against attacks in the wild.)

See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
details. This version of the patch uses 1M as threshold instead of
5M and supersedes the first and second version.

Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
 config/unbound/unbound.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 3f724d8f7..ce9ddcd62 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -61,6 +61,9 @@ server:
 	harden-algo-downgrade: no
 	use-caps-for-id: no
 
+	# Harden against DNS cache poisoning
+	unwanted-reply-threshold: 1000000
+
 	# Listen on all interfaces
 	interface-automatic: yes
 	interface: 0.0.0.0
-- 
2.16.4

[PATCH v4 2/3] Unbound: Use caps for IDs

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 875 bytes --]

Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
random bits into upstream queries. Upstream documentation claims
it to be an experimental implementation, it did not cause any trouble
on productive systems here.

See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
further details.

Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
 config/unbound/unbound.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index ce9ddcd62..6eaf70a8e 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -59,7 +59,7 @@ server:
 	harden-below-nxdomain: yes
 	harden-referral-path: yes
 	harden-algo-downgrade: no
-	use-caps-for-id: no
+	use-caps-for-id: yes
 
 	# Harden against DNS cache poisoning
 	unwanted-reply-threshold: 1000000
-- 
2.16.4

[PATCH v4 3/3] Unbound: Use aggressive NSEC

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 729 bytes --]

This avoids some needless lookups to destination domains
with a very high NXDOMAIN rate and reduces load on upstream
servers.

See https://nlnetlabs.nl/documentation/unbound/unbound.conf/
for further details.

Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
 config/unbound/unbound.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 6eaf70a8e..cda591dab 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -60,6 +60,7 @@ server:
 	harden-referral-path: yes
 	harden-algo-downgrade: no
 	use-caps-for-id: yes
+	aggressive-nsec: yes
 
 	# Harden against DNS cache poisoning
 	unwanted-reply-threshold: 1000000
-- 
2.16.4

Re: [PATCH v4 1/3] Unbound: Enable DNS cache poisoning mitigation

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1235 bytes --]

Merged!

On Mon, 2018-09-10 at 16:21 +0200, Peter Müller wrote:
> By default, Unbound neither keeps track of the number of unwanted
> replies nor initiates countermeasures if they become too large (DNS
> cache poisoning).
> 
> This sets the maximum number of tolerated unwanted replies to
> 1M, causing the cache to be flushed afterwards. (Upstream documentation
> recommends 10M as a threshold, but this turned out to be ineffective
> against attacks in the wild.)
> 
> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
> details. This version of the patch uses 1M as threshold instead of
> 5M and supersedes the first and second version.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
>  config/unbound/unbound.conf | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> index 3f724d8f7..ce9ddcd62 100644
> --- a/config/unbound/unbound.conf
> +++ b/config/unbound/unbound.conf
> @@ -61,6 +61,9 @@ server:
>  	harden-algo-downgrade: no
>  	use-caps-for-id: no
>  
> +	# Harden against DNS cache poisoning
> +	unwanted-reply-threshold: 1000000
> +
>  	# Listen on all interfaces
>  	interface-automatic: yes
>  	interface: 0.0.0.0