From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 1/3] Unbound: Enable DNS cache poisoning mitigation Date: Thu, 23 Aug 2018 14:39:40 +0100 Message-ID: <817cfa594eb88b18f43d605433646abcdb2a2799.camel@ipfire.org> In-Reply-To: <96863f17-bb80-2cdc-cb55-2ca06a9cc673@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2595472501193808646==" List-Id: --===============2595472501193808646== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Do you have any reference for this? On Sun, 2018-08-19 at 20:08 +0200, Peter Müller wrote: > By default, Unbound neither keeps track of the number of unwanted > replies nor initiates countermeasures if they become too large (DNS > cache poisoning). > > This sets the maximum number of tolerated unwanted replies to > 5M, causing the cache to be flushed afterwards. (Upstream documentation > recommends 10M as a threshold, but this turned out to be ineffective > against attacks in the wild.) > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for > details. > > Signed-off-by: Peter Müller > --- > config/unbound/unbound.conf | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf > index 3f724d8f7..fa2ca3fd4 100644 > --- a/config/unbound/unbound.conf > +++ b/config/unbound/unbound.conf > @@ -61,6 +61,9 @@ server: > harden-algo-downgrade: no > use-caps-for-id: no > > + # Harden against DNS cache poisoning > + unwanted-reply-threshold: 5000000 > + > # Listen on all interfaces > interface-automatic: yes > interface: 0.0.0.0 --===============2595472501193808646==--