Re: unbound startup

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1644 bytes --]

On Tue, 2018-05-29 at 14:57 +0300, Tapani Tarvainen wrote:
> With a bit closer look it seems this is more serious than I thought:
> it's not only a bug but a security bug.

I do not consider this a security issue. This might be an information leak
though and cause some unintended behaviour, but that is about it.

> Under certain circumstances restarting unbound (which as noted happens
> with every Edit Hosts &c) can lead to loss of data as well as result
> in data leaks outside the firewall.
> 
> As it is now, at unbound startup there's a time window when it gives
> wrong answers to DNS queries. NXDOMAIN is bad enough and can lead to
> data loss in several circumstances, but as it starts forwarders before
> populating local hosts it can also return wrong answers in split DNS
> situations, that is, return external IP when it should return the
> internal one. This is obviously bad if exernal DNS server is
> compromised or spoofed, but even when it isn't, connections intended
> to intranet machines could go outside when they shouldn't.

Your application should not rely on getting a response from the DNS servers. And
if there is any important data to be sent to somewhere else it should try again.

> Exploiting this deliberately is not all that simple and all really bad
> cases I can think of require split DNS setup and knowledge or ability
> to guess when unbound is restarted, but some attacks could be set up
> to wait for it.
> 
> If this list is not the right place for discussing about bugs, please
> redirect wherever appropriate.

This is the right place. It's the dev list.

-Michael