[PATCH 1/3 v3] Unbound: Enable DNS cache poisoning mitigation

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

* [PATCH 1/3 v3] Unbound: Enable DNS cache poisoning mitigation
@ 2018-08-27 15:29 Peter Müller
  2018-09-09 16:46 ` Michael Tremer
  0 siblings, 1 reply; 4+ messages in thread
From: Peter Müller @ 2018-08-27 15:29 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1107 bytes --]

By default, Unbound neither keeps track of the number of unwanted
replies nor initiates countermeasures if they become too large (DNS
cache poisoning).

This sets the maximum number of tolerated unwanted replies to
1M, causing the cache to be flushed afterwards. (Upstream documentation
recommends 10M as a threshold, but this turned out to be ineffective
against attacks in the wild.)

See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
details. This version of the patch uses 1M as threshold instead of
5M and supersedes the first version.

Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
 config/unbound/unbound.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 3f724d8f7..fa2ca3fd4 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -61,6 +61,9 @@ server:
 	harden-algo-downgrade: no
 	use-caps-for-id: no

+	# Harden against DNS cache poisoning
+	unwanted-reply-threshold: 1000000
+
 	# Listen on all interfaces
 	interface-automatic: yes
 	interface: 0.0.0.0
-- 
2.16.4

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/3 v3] Unbound: Enable DNS cache poisoning mitigation
  2018-08-27 15:29 [PATCH 1/3 v3] Unbound: Enable DNS cache poisoning mitigation Peter Müller
@ 2018-09-09 16:46 ` Michael Tremer
  2018-09-09 16:47   ` Peter Müller
  0 siblings, 1 reply; 4+ messages in thread
From: Michael Tremer @ 2018-09-09 16:46 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1246 bytes --]

This patchset does not apply.

On Mon, 2018-08-27 at 17:29 +0200, Peter Müller wrote:
> By default, Unbound neither keeps track of the number of unwanted
> replies nor initiates countermeasures if they become too large (DNS
> cache poisoning).
> 
> This sets the maximum number of tolerated unwanted replies to
> 1M, causing the cache to be flushed afterwards. (Upstream documentation
> recommends 10M as a threshold, but this turned out to be ineffective
> against attacks in the wild.)
> 
> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
> details. This version of the patch uses 1M as threshold instead of
> 5M and supersedes the first version.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
>  config/unbound/unbound.conf | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> index 3f724d8f7..fa2ca3fd4 100644
> --- a/config/unbound/unbound.conf
> +++ b/config/unbound/unbound.conf
> @@ -61,6 +61,9 @@ server:
>  	harden-algo-downgrade: no
>  	use-caps-for-id: no
>  
> +	# Harden against DNS cache poisoning
> +	unwanted-reply-threshold: 1000000
> +
>  	# Listen on all interfaces
>  	interface-automatic: yes
>  	interface: 0.0.0.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/3 v3] Unbound: Enable DNS cache poisoning mitigation
  2018-09-09 16:46 ` Michael Tremer
@ 2018-09-09 16:47   ` Peter Müller
  2018-09-09 16:50     ` Michael Tremer
  0 siblings, 1 reply; 4+ messages in thread
From: Peter Müller @ 2018-09-09 16:47 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1478 bytes --]

Why?

> This patchset does not apply.
> 
> On Mon, 2018-08-27 at 17:29 +0200, Peter Müller wrote:
>> By default, Unbound neither keeps track of the number of unwanted
>> replies nor initiates countermeasures if they become too large (DNS
>> cache poisoning).
>>
>> This sets the maximum number of tolerated unwanted replies to
>> 1M, causing the cache to be flushed afterwards. (Upstream documentation
>> recommends 10M as a threshold, but this turned out to be ineffective
>> against attacks in the wild.)
>>
>> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
>> details. This version of the patch uses 1M as threshold instead of
>> 5M and supersedes the first version.
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
>> ---
>>  config/unbound/unbound.conf | 3 +++
>>  1 file changed, 3 insertions(+)
>>
>> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
>> index 3f724d8f7..fa2ca3fd4 100644
>> --- a/config/unbound/unbound.conf
>> +++ b/config/unbound/unbound.conf
>> @@ -61,6 +61,9 @@ server:
>>  	harden-algo-downgrade: no
>>  	use-caps-for-id: no
>>  
>> +	# Harden against DNS cache poisoning
>> +	unwanted-reply-threshold: 1000000
>> +
>>  	# Listen on all interfaces
>>  	interface-automatic: yes
>>  	interface: 0.0.0.0
> 

-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/3 v3] Unbound: Enable DNS cache poisoning mitigation
  2018-09-09 16:47   ` Peter Müller
@ 2018-09-09 16:50     ` Michael Tremer
  0 siblings, 0 replies; 4+ messages in thread
From: Michael Tremer @ 2018-09-09 16:50 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1692 bytes --]

It just isn't a consecutive order of patches.

The first one has manually been changed and the rest of the branch wasn't
rebased. They came from another branch.

Build one branch and let git send-email do the work for you.

-Michael

On Sun, 2018-09-09 at 18:47 +0200, Peter Müller wrote:
> Why?
> 
> > This patchset does not apply.
> > 
> > On Mon, 2018-08-27 at 17:29 +0200, Peter Müller wrote:
> > > By default, Unbound neither keeps track of the number of unwanted
> > > replies nor initiates countermeasures if they become too large (DNS
> > > cache poisoning).
> > > 
> > > This sets the maximum number of tolerated unwanted replies to
> > > 1M, causing the cache to be flushed afterwards. (Upstream documentation
> > > recommends 10M as a threshold, but this turned out to be ineffective
> > > against attacks in the wild.)
> > > 
> > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
> > > details. This version of the patch uses 1M as threshold instead of
> > > 5M and supersedes the first version.
> > > 
> > > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> > > ---
> > >  config/unbound/unbound.conf | 3 +++
> > >  1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> > > index 3f724d8f7..fa2ca3fd4 100644
> > > --- a/config/unbound/unbound.conf
> > > +++ b/config/unbound/unbound.conf
> > > @@ -61,6 +61,9 @@ server:
> > >  	harden-algo-downgrade: no
> > >  	use-caps-for-id: no
> > >  
> > > +	# Harden against DNS cache poisoning
> > > +	unwanted-reply-threshold: 1000000
> > > +
> > >  	# Listen on all interfaces
> > >  	interface-automatic: yes
> > >  	interface: 0.0.0.0
> 
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-09-09 16:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-27 15:29 [PATCH 1/3 v3] Unbound: Enable DNS cache poisoning mitigation Peter Müller
2018-09-09 16:46 ` Michael Tremer
2018-09-09 16:47   ` Peter Müller
2018-09-09 16:50     ` Michael Tremer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox