From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 1/3] Unbound: Enable DNS cache poisoning mitigation Date: Thu, 23 Aug 2018 21:22:36 +0200 Message-ID: <930c64ec-a1e6-f7f6-6613-d88fd1a1cc04@link38.eu> In-Reply-To: <817cfa594eb88b18f43d605433646abcdb2a2799.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3840774873138151963==" List-Id: --===============3840774873138151963== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Well, some people consider 10k a good value for this: https://calomel.org/unbound_dns.html Not sure if this is actually too low. During some attacks, 5M was satisfying here, but I did not dig into thresholds deeper. Simulated attacks did not show a unique behaviour, and their real value is questionable in my point of view. What do you propose for the value? 1M or 100k? Best regards, Peter Müller > Do you have any reference for this? > > On Sun, 2018-08-19 at 20:08 +0200, Peter Müller wrote: >> By default, Unbound neither keeps track of the number of unwanted >> replies nor initiates countermeasures if they become too large (DNS >> cache poisoning). >> >> This sets the maximum number of tolerated unwanted replies to >> 5M, causing the cache to be flushed afterwards. (Upstream documentation >> recommends 10M as a threshold, but this turned out to be ineffective >> against attacks in the wild.) >> >> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for >> details. >> >> Signed-off-by: Peter Müller >> --- >> config/unbound/unbound.conf | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf >> index 3f724d8f7..fa2ca3fd4 100644 >> --- a/config/unbound/unbound.conf >> +++ b/config/unbound/unbound.conf >> @@ -61,6 +61,9 @@ server: >> harden-algo-downgrade: no >> use-caps-for-id: no >> >> + # Harden against DNS cache poisoning >> + unwanted-reply-threshold: 5000000 >> + >> # Listen on all interfaces >> interface-automatic: yes >> interface: 0.0.0.0 > -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq --===============3840774873138151963== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE SnlyUkxrMlVqeUQzMTduMmdGQWx0L0NYd0FDZ2tRMlVqeUQzMTcKbjJpMmhRLy9XeWI5T3hXMjd1 QlZNQno0UUZjNXREOUkwUG1RL1pNUkFVc1NGSjRBb2s1QzlsSG5XWDZIOXJFSwp6VGpXTUw3MVNx eTQzQ2VKeTQwdzN1VHJTYUlsMGhGK0tnUEhaOGdQL0gyM2xPT1I1Z3JmZmRPQ3ZQQmlseDAvClR2 cThVb1h4VHRzMXlRbGlqRTNuNnFHTlhQdHdCdURxbkJhb0RCYnN5K2dCUEZTQjNYNnYzN3hrK2lD elFDMVAKNkJMOFVuM0pTV1lkeXRxYXNycVR4dDdEbGdYTTBZMHJqcXYrLzlCdVN0SUNFTmNzM1gz SXRtUjg5TWRzVjdCTQpwUTNxRkdONzFKT0FpTEJyTUZrTUlUUXFsdzlsUTBDMko3dFliWkJKaFdP QW94bXVhckZBY1M3MlNWMitDQWhOCnVDa0diTDZWcFR4QTdDWitVVWUrYXdjRkNkQ3BhejZYNm5p ZlNoRzF0c2VuaWxlWnA0cERQV1pmOVU1Y3k3aXYKOUFuOXFqdC8xYTZVZWQ5K2JNOGh1NlU0WEZK dys0YVpGb29tQjRBVVJ3T25hcEZjTUlYYXFlclM3TDFBR0k3TQpXZmdFWVlkbVNhRnBPOEdTK21k a3MxMG52VVNRK2tlWFEyLzlkcmVhN2RWNWMwaVBKRXk5UVErbmRRT28raXdhClNKUVUxdUhpTWVr NGZ0YkZleHZKU0svSmpZdnNLVnl4T3pFK25jNmtvTjRCaEhpbURUWGc3Ti9oUGw1R1JuMEcKSWsw UndaRHVFNUJmUnBrczcySTEzZENqZGxTeWUvL0czOTFxSncvZ1J4bVkvVXJEQjVZRng4SnJNQ0N1 ZmNvQwpjZzQ2ZmM4blgxVWpJSDFTc2RsTWUzYmF1NlNxb09JY3ZEUExyaGNQUERVY2Uwa3lQb2c9 Cj1ldGxlCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============3840774873138151963==--