* [PATCH 1/3] Unbound: Enable DNS cache poisoning mitigation
@ 2018-08-19 18:08 Peter Müller
2018-08-23 13:39 ` Michael Tremer
0 siblings, 1 reply; 5+ messages in thread
From: Peter Müller @ 2018-08-19 18:08 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1010 bytes --]
By default, Unbound neither keeps track of the number of unwanted
replies nor initiates countermeasures if they become too large (DNS
cache poisoning).
This sets the maximum number of tolerated unwanted replies to
5M, causing the cache to be flushed afterwards. (Upstream documentation
recommends 10M as a threshold, but this turned out to be ineffective
against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
details.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
config/unbound/unbound.conf | 3 +++
1 file changed, 3 insertions(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 3f724d8f7..fa2ca3fd4 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -61,6 +61,9 @@ server:
harden-algo-downgrade: no
use-caps-for-id: no
+ # Harden against DNS cache poisoning
+ unwanted-reply-threshold: 5000000
+
# Listen on all interfaces
interface-automatic: yes
interface: 0.0.0.0
--
2.16.4
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/3] Unbound: Enable DNS cache poisoning mitigation
2018-08-19 18:08 [PATCH 1/3] Unbound: Enable DNS cache poisoning mitigation Peter Müller
@ 2018-08-23 13:39 ` Michael Tremer
2018-08-23 19:22 ` Peter Müller
0 siblings, 1 reply; 5+ messages in thread
From: Michael Tremer @ 2018-08-23 13:39 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1155 bytes --]
Do you have any reference for this?
On Sun, 2018-08-19 at 20:08 +0200, Peter Müller wrote:
> By default, Unbound neither keeps track of the number of unwanted
> replies nor initiates countermeasures if they become too large (DNS
> cache poisoning).
>
> This sets the maximum number of tolerated unwanted replies to
> 5M, causing the cache to be flushed afterwards. (Upstream documentation
> recommends 10M as a threshold, but this turned out to be ineffective
> against attacks in the wild.)
>
> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
> details.
>
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
> config/unbound/unbound.conf | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> index 3f724d8f7..fa2ca3fd4 100644
> --- a/config/unbound/unbound.conf
> +++ b/config/unbound/unbound.conf
> @@ -61,6 +61,9 @@ server:
> harden-algo-downgrade: no
> use-caps-for-id: no
>
> + # Harden against DNS cache poisoning
> + unwanted-reply-threshold: 5000000
> +
> # Listen on all interfaces
> interface-automatic: yes
> interface: 0.0.0.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/3] Unbound: Enable DNS cache poisoning mitigation
2018-08-23 13:39 ` Michael Tremer
@ 2018-08-23 19:22 ` Peter Müller
2018-08-24 11:52 ` Michael Tremer
0 siblings, 1 reply; 5+ messages in thread
From: Peter Müller @ 2018-08-23 19:22 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1785 bytes --]
Well, some people consider 10k a good value for this:
https://calomel.org/unbound_dns.html
Not sure if this is actually too low. During some attacks, 5M
was satisfying here, but I did not dig into thresholds deeper.
Simulated attacks did not show a unique behaviour, and their
real value is questionable in my point of view.
What do you propose for the value? 1M or 100k?
Best regards,
Peter Müller
> Do you have any reference for this?
>
> On Sun, 2018-08-19 at 20:08 +0200, Peter Müller wrote:
>> By default, Unbound neither keeps track of the number of unwanted
>> replies nor initiates countermeasures if they become too large (DNS
>> cache poisoning).
>>
>> This sets the maximum number of tolerated unwanted replies to
>> 5M, causing the cache to be flushed afterwards. (Upstream documentation
>> recommends 10M as a threshold, but this turned out to be ineffective
>> against attacks in the wild.)
>>
>> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
>> details.
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
>> ---
>> config/unbound/unbound.conf | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
>> index 3f724d8f7..fa2ca3fd4 100644
>> --- a/config/unbound/unbound.conf
>> +++ b/config/unbound/unbound.conf
>> @@ -61,6 +61,9 @@ server:
>> harden-algo-downgrade: no
>> use-caps-for-id: no
>>
>> + # Harden against DNS cache poisoning
>> + unwanted-reply-threshold: 5000000
>> +
>> # Listen on all interfaces
>> interface-automatic: yes
>> interface: 0.0.0.0
>
--
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made. Fix Information: Run your DNS
service on a different platform.
-- bugtraq
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/3] Unbound: Enable DNS cache poisoning mitigation
2018-08-23 19:22 ` Peter Müller
@ 2018-08-24 11:52 ` Michael Tremer
2018-08-26 18:35 ` Peter Müller
0 siblings, 1 reply; 5+ messages in thread
From: Michael Tremer @ 2018-08-24 11:52 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2745 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
1M sounds good.
This should never become a problem for zones that use DNSSEC.
On Thu, 2018-08-23 at 21:22 +0200, Peter Müller wrote:
> Well, some people consider 10k a good value for this:
> https://calomel.org/unbound_dns.html
>
> Not sure if this is actually too low. During some attacks, 5M
> was satisfying here, but I did not dig into thresholds deeper.
> Simulated attacks did not show a unique behaviour, and their
> real value is questionable in my point of view.
>
> What do you propose for the value? 1M or 100k?
>
> Best regards,
> Peter Müller
>
> > Do you have any reference for this?
> >
> > On Sun, 2018-08-19 at 20:08 +0200, Peter Müller wrote:
> > > By default, Unbound neither keeps track of the number of unwanted
> > > replies nor initiates countermeasures if they become too large (DNS
> > > cache poisoning).
> > >
> > > This sets the maximum number of tolerated unwanted replies to
> > > 5M, causing the cache to be flushed afterwards. (Upstream documentation
> > > recommends 10M as a threshold, but this turned out to be ineffective
> > > against attacks in the wild.)
> > >
> > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
> > > details.
> > >
> > > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> > > ---
> > > config/unbound/unbound.conf | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> > > index 3f724d8f7..fa2ca3fd4 100644
> > > --- a/config/unbound/unbound.conf
> > > +++ b/config/unbound/unbound.conf
> > > @@ -61,6 +61,9 @@ server:
> > > harden-algo-downgrade: no
> > > use-caps-for-id: no
> > >
> > > + # Harden against DNS cache poisoning
> > > + unwanted-reply-threshold: 5000000
> > > +
> > > # Listen on all interfaces
> > > interface-automatic: yes
> > > interface: 0.0.0.0
>
>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlt/8XgACgkQgHnw/2+Q
CQeSQQ//daMiyWwZlgKKtYoZdByad2MJI+PkDCxJtGbUPfgEkYuo0TgMncmKs8lQ
HLX6nGl/Ligl35ggFLtiXWMnpop1uwIV59LkEbXaTInRWWL/nGjvLguhxRnSQOE3
erLjUNo/ZyBNZmQlYo621Zlk3Ph9m3jmHy8ubVq2IxE025qClO2S7e6Udd5yna2b
NM7RBM/ietL2v/UJZAsBu9RozTo1oR7ZgjW5L0xAJmWQ/DDEBfDYejJ60k2lNEOt
eMLw+BTl/Os86efAZtVzJ/g9U4jYse8DrRurFhGXDC6h4hEHr5Rw6WWt1SjinUGC
uUBY8N5fuptRD7Z1dtsG4RyXnsqy7UMr+YL5wRZL+qiDRc3xnVVjNcnYy43V+vM3
EH1uIMQ4gkGP3b9YXTBuTIpf1Tj26jywjjFiljnWreUhQEW/dORk5l6WEAELUH+L
s9Zyip8sLcZPaeM+iVerFd1DZA+BnpPW90NQo0tqqyVqMZrGukTXyrQZmU5ZC+Zz
oQuVn70IUVz746AV8RP+qMvQ2FJlQasWjOqCIkMgaN+kfPq1M5dKiiU/s29ICL13
6Ud16Aa22p79tSCIaBuqr1e+ja1ZsKq92+4H186WuARpQSHFxoo6uGrZaJBW9R0W
acLBenD0D/TRxqA05YbCM11o5xv7UCrUBPyweyGUkrbnVI5Do9c=
=U20w
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/3] Unbound: Enable DNS cache poisoning mitigation
2018-08-24 11:52 ` Michael Tremer
@ 2018-08-26 18:35 ` Peter Müller
0 siblings, 0 replies; 5+ messages in thread
From: Peter Müller @ 2018-08-26 18:35 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 911 bytes --]
Hello Michael,
could you merge the series with the second version of this patch
then?
Thanks, and best regards,
Peter Müller
> 1M sounds good.
>
> This should never become a problem for zones that use DNSSEC.
>
> On Thu, 2018-08-23 at 21:22 +0200, Peter Müller wrote:
>> Well, some people consider 10k a good value for this:
>> https://calomel.org/unbound_dns.html
>
>> Not sure if this is actually too low. During some attacks, 5M
>> was satisfying here, but I did not dig into thresholds deeper.
>> Simulated attacks did not show a unique behaviour, and their
>> real value is questionable in my point of view.
>
>> What do you propose for the value? 1M or 100k?
>
>> Best regards,
>> Peter Müller
> [snip]
--
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made. Fix Information: Run your DNS
service on a different platform.
-- bugtraq
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-08-26 18:35 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-19 18:08 [PATCH 1/3] Unbound: Enable DNS cache poisoning mitigation Peter Müller
2018-08-23 13:39 ` Michael Tremer
2018-08-23 19:22 ` Peter Müller
2018-08-24 11:52 ` Michael Tremer
2018-08-26 18:35 ` Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox