From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 1/3 v2] Unbound: Enable DNS cache poisoning mitigation Date: Mon, 27 Aug 2018 07:35:16 +0100 Message-ID: <51785c2ca0db1f8f6c9be356eeb76e432feb7937.camel@ipfire.org> In-Reply-To: <58ca41ec-0a1a-68bd-1042-e8268926b807@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7515740270084300893==" List-Id: --===============7515740270084300893== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This is only one patch of the whole patchset... On Sun, 2018-08-26 at 20:34 +0200, Peter Müller wrote: > By default, Unbound neither keeps track of the number of unwanted > replies nor initiates countermeasures if they become too large (DNS > cache poisoning). > > This sets the maximum number of tolerated unwanted replies to > 1M, causing the cache to be flushed afterwards. (Upstream documentation > recommends 10M as a threshold, but this turned out to be ineffective > against attacks in the wild.) > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for > details. This version of the patch uses 1M as threshold instead of > 5M and supersedes the first version. > > Signed-off-by: Peter Müller > --- > config/unbound/unbound.conf | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf > index 3f724d8f7..fa2ca3fd4 100644 > --- a/config/unbound/unbound.conf > +++ b/config/unbound/unbound.conf > @@ -61,6 +61,9 @@ server: > harden-algo-downgrade: no > use-caps-for-id: no > > + # Harden against DNS cache poisoning > + unwanted-reply-threshold: 1000000 > + > # Listen on all interfaces > interface-automatic: yes > interface: 0.0.0.0 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAluDm6UACgkQgHnw/2+Q CQfxrA/+MDOfqsG6FYQTe5WvQbKXkbI2TKJVlCUm7fzhoKPTdBNioKe9l0zPGJpw r1JWtFCXe1P3W3OP6uTWecMMUCbTOkqhHFGwkQ77tc43incK5rBdxKea7dqRmcg1 6oTau2b7iYzQZbjH1imZBvjrqMRTCWJEIlLU5ZJA42L0RUbmY83PIi67QNsa4BcP UTRWPnoZF8eO5xe5hpQtctXyufyDqU562GdwkJ1Zvt2Tq2qC7+f8FUz22lD3YAiZ E7FAs6RsxCBBtvdPlXoDiiCRcoLtlIXi00JqQ1qG3sCdgauOYOAjxu353AVtiAEf DQdNdk5Qotnz8pTwjlR4o8FAIbMsk+neoWSJiVmMB3A1xV7dQDHnDkaZ2Z/ULT3Y Pkxgx7L/KAdKmy7OnY8drZm0FHOOKaxFPCmEK+kdTdqdzEUmWSjiQ8BiwSDgrNMW igBC01N6R35F8Kpf9a6YfVCQfG5mY0KmWsyM/67aygCIRf8Znlm6+6ZOmtVvAuAs 3nsta9oC0JgAkX/tcLZWO9eUnlhHDozU4Y4PoYX0ys5iNONhnTwp/er714+78/an y8P2ZBMrHr0SwC17OU2KrJPoAaTjOyzJGCcIsYbO80ZN2XJFKD1BPm7HMs4gv/2B Pvq6eZ3gKsCswfdJdMsHZYpRf1G+QUQnpxvWyqU76FRCOh3HkR4= =2zwX -----END PGP SIGNATURE----- --===============7515740270084300893==--