From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 1/3] Unbound: Enable DNS cache poisoning mitigation Date: Fri, 24 Aug 2018 12:52:24 +0100 Message-ID: In-Reply-To: <930c64ec-a1e6-f7f6-6613-d88fd1a1cc04@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6371355299970222389==" List-Id: --===============6371355299970222389== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 1M sounds good. This should never become a problem for zones that use DNSSEC. On Thu, 2018-08-23 at 21:22 +0200, Peter Müller wrote: > Well, some people consider 10k a good value for this: > https://calomel.org/unbound_dns.html > > Not sure if this is actually too low. During some attacks, 5M > was satisfying here, but I did not dig into thresholds deeper. > Simulated attacks did not show a unique behaviour, and their > real value is questionable in my point of view. > > What do you propose for the value? 1M or 100k? > > Best regards, > Peter Müller > > > Do you have any reference for this? > > > > On Sun, 2018-08-19 at 20:08 +0200, Peter Müller wrote: > > > By default, Unbound neither keeps track of the number of unwanted > > > replies nor initiates countermeasures if they become too large (DNS > > > cache poisoning). > > > > > > This sets the maximum number of tolerated unwanted replies to > > > 5M, causing the cache to be flushed afterwards. (Upstream documentation > > > recommends 10M as a threshold, but this turned out to be ineffective > > > against attacks in the wild.) > > > > > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for > > > details. > > > > > > Signed-off-by: Peter Müller > > > --- > > > config/unbound/unbound.conf | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf > > > index 3f724d8f7..fa2ca3fd4 100644 > > > --- a/config/unbound/unbound.conf > > > +++ b/config/unbound/unbound.conf > > > @@ -61,6 +61,9 @@ server: > > > harden-algo-downgrade: no > > > use-caps-for-id: no > > > > > > + # Harden against DNS cache poisoning > > > + unwanted-reply-threshold: 5000000 > > > + > > > # Listen on all interfaces > > > interface-automatic: yes > > > interface: 0.0.0.0 > > -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlt/8XgACgkQgHnw/2+Q CQeSQQ//daMiyWwZlgKKtYoZdByad2MJI+PkDCxJtGbUPfgEkYuo0TgMncmKs8lQ HLX6nGl/Ligl35ggFLtiXWMnpop1uwIV59LkEbXaTInRWWL/nGjvLguhxRnSQOE3 erLjUNo/ZyBNZmQlYo621Zlk3Ph9m3jmHy8ubVq2IxE025qClO2S7e6Udd5yna2b NM7RBM/ietL2v/UJZAsBu9RozTo1oR7ZgjW5L0xAJmWQ/DDEBfDYejJ60k2lNEOt eMLw+BTl/Os86efAZtVzJ/g9U4jYse8DrRurFhGXDC6h4hEHr5Rw6WWt1SjinUGC uUBY8N5fuptRD7Z1dtsG4RyXnsqy7UMr+YL5wRZL+qiDRc3xnVVjNcnYy43V+vM3 EH1uIMQ4gkGP3b9YXTBuTIpf1Tj26jywjjFiljnWreUhQEW/dORk5l6WEAELUH+L s9Zyip8sLcZPaeM+iVerFd1DZA+BnpPW90NQo0tqqyVqMZrGukTXyrQZmU5ZC+Zz oQuVn70IUVz746AV8RP+qMvQ2FJlQasWjOqCIkMgaN+kfPq1M5dKiiU/s29ICL13 6Ud16Aa22p79tSCIaBuqr1e+ja1ZsKq92+4H186WuARpQSHFxoo6uGrZaJBW9R0W acLBenD0D/TRxqA05YbCM11o5xv7UCrUBPyweyGUkrbnVI5Do9c= =U20w -----END PGP SIGNATURE----- --===============6371355299970222389==--