From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 1/3 v2] Unbound: Enable DNS cache poisoning mitigation Date: Mon, 27 Aug 2018 17:45:05 +0200 Message-ID: <8687e7a8-adb6-2ad8-e58f-1f6a3273e8ab@link38.eu> In-Reply-To: <51785c2ca0db1f8f6c9be356eeb76e432feb7937.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7536249599191019293==" List-Id: --===============7536249599191019293== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Yes, sorry. Submitted the whole thing again (without PGP the second time). Please merge version 4 of the patchset. :-\ Best regards, Peter Müller > This is only one patch of the whole patchset... > > On Sun, 2018-08-26 at 20:34 +0200, Peter Müller wrote: >> By default, Unbound neither keeps track of the number of unwanted >> replies nor initiates countermeasures if they become too large (DNS >> cache poisoning). > >> This sets the maximum number of tolerated unwanted replies to >> 1M, causing the cache to be flushed afterwards. (Upstream documentation >> recommends 10M as a threshold, but this turned out to be ineffective >> against attacks in the wild.) > >> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for >> details. This version of the patch uses 1M as threshold instead of >> 5M and supersedes the first version. > >> Signed-off-by: Peter Müller >> --- >> config/unbound/unbound.conf | 3 +++ >> 1 file changed, 3 insertions(+) > >> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf >> index 3f724d8f7..fa2ca3fd4 100644 >> --- a/config/unbound/unbound.conf >> +++ b/config/unbound/unbound.conf >> @@ -61,6 +61,9 @@ server: >> harden-algo-downgrade: no >> use-caps-for-id: no > >> + # Harden against DNS cache poisoning >> + unwanted-reply-threshold: 1000000 >> + >> # Listen on all interfaces >> interface-automatic: yes >> interface: 0.0.0.0 > -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq --===============7536249599191019293==--