* [PATCH 2/3] Unbound: Use caps for IDs
@ 2018-08-19 18:11 Peter Müller
2018-08-23 13:40 ` Michael Tremer
2018-08-27 15:26 ` [PATCH 2/3 v2] " Peter Müller
0 siblings, 2 replies; 5+ messages in thread
From: Peter Müller @ 2018-08-19 18:11 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 874 bytes --]
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
random bits into upstream queries. Upstream documentation claims
it to be an experimental implementation, it did not cause any trouble
on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
further details.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
config/unbound/unbound.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index fa2ca3fd4..8b5d34ee3 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -59,7 +59,7 @@ server:
harden-below-nxdomain: yes
harden-referral-path: yes
harden-algo-downgrade: no
- use-caps-for-id: no
+ use-caps-for-id: yes
# Harden against DNS cache poisoning
unwanted-reply-threshold: 5000000
--
2.16.4
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/3] Unbound: Use caps for IDs
2018-08-19 18:11 [PATCH 2/3] Unbound: Use caps for IDs Peter Müller
@ 2018-08-23 13:40 ` Michael Tremer
2018-08-23 19:15 ` Peter Müller
2018-08-27 15:26 ` [PATCH 2/3 v2] " Peter Müller
1 sibling, 1 reply; 5+ messages in thread
From: Michael Tremer @ 2018-08-23 13:40 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1195 bytes --]
This was deliberately not enabled because the documentation contains a
warning about various incompatibilities with various other DNS servers.
Is there some sort of study saying that this can be safely enabled?
-Michael
On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote:
> Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
> random bits into upstream queries. Upstream documentation claims
> it to be an experimental implementation, it did not cause any trouble
> on productive systems here.
>
> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
> further details.
>
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
> config/unbound/unbound.conf | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> index fa2ca3fd4..8b5d34ee3 100644
> --- a/config/unbound/unbound.conf
> +++ b/config/unbound/unbound.conf
> @@ -59,7 +59,7 @@ server:
> harden-below-nxdomain: yes
> harden-referral-path: yes
> harden-algo-downgrade: no
> - use-caps-for-id: no
> + use-caps-for-id: yes
>
> # Harden against DNS cache poisoning
> unwanted-reply-threshold: 5000000
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/3] Unbound: Use caps for IDs
2018-08-23 13:40 ` Michael Tremer
@ 2018-08-23 19:15 ` Peter Müller
2018-08-24 11:51 ` Michael Tremer
0 siblings, 1 reply; 5+ messages in thread
From: Peter Müller @ 2018-08-23 19:15 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1737 bytes --]
Hello,
> This was deliberately not enabled because the documentation contains a
> warning about various incompatibilities with various other DNS servers.
Yes, there are a lot of broken DNS servers out there...
>
> Is there some sort of study saying that this can be safely enabled?
I know people operating DNS resolvers for > 30k customers with this setting
enabled. They never experienced any issue with this so far. This is enabled
on my systems too.
Currently, I am not aware of a public study.
Best regards,
Peter Müller
>
> -Michael
>
> On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote:
>> Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
>> random bits into upstream queries. Upstream documentation claims
>> it to be an experimental implementation, it did not cause any trouble
>> on productive systems here.
>>
>> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
>> further details.
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
>> ---
>> config/unbound/unbound.conf | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
>> index fa2ca3fd4..8b5d34ee3 100644
>> --- a/config/unbound/unbound.conf
>> +++ b/config/unbound/unbound.conf
>> @@ -59,7 +59,7 @@ server:
>> harden-below-nxdomain: yes
>> harden-referral-path: yes
>> harden-algo-downgrade: no
>> - use-caps-for-id: no
>> + use-caps-for-id: yes
>>
>> # Harden against DNS cache poisoning
>> unwanted-reply-threshold: 5000000
>
--
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made. Fix Information: Run your DNS
service on a different platform.
-- bugtraq
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/3] Unbound: Use caps for IDs
2018-08-23 19:15 ` Peter Müller
@ 2018-08-24 11:51 ` Michael Tremer
0 siblings, 0 replies; 5+ messages in thread
From: Michael Tremer @ 2018-08-24 11:51 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2646 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Okay, let's give it a try then.
On Thu, 2018-08-23 at 21:15 +0200, Peter Müller wrote:
> Hello,
>
> > This was deliberately not enabled because the documentation contains a
> > warning about various incompatibilities with various other DNS servers.
>
> Yes, there are a lot of broken DNS servers out there...
> >
> > Is there some sort of study saying that this can be safely enabled?
>
> I know people operating DNS resolvers for > 30k customers with this setting
> enabled. They never experienced any issue with this so far. This is enabled
> on my systems too.
>
> Currently, I am not aware of a public study.
>
> Best regards,
> Peter Müller
> >
> > -Michael
> >
> > On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote:
> > > Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
> > > random bits into upstream queries. Upstream documentation claims
> > > it to be an experimental implementation, it did not cause any trouble
> > > on productive systems here.
> > >
> > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
> > > further details.
> > >
> > > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> > > ---
> > > config/unbound/unbound.conf | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> > > index fa2ca3fd4..8b5d34ee3 100644
> > > --- a/config/unbound/unbound.conf
> > > +++ b/config/unbound/unbound.conf
> > > @@ -59,7 +59,7 @@ server:
> > > harden-below-nxdomain: yes
> > > harden-referral-path: yes
> > > harden-algo-downgrade: no
> > > - use-caps-for-id: no
> > > + use-caps-for-id: yes
> > >
> > > # Harden against DNS cache poisoning
> > > unwanted-reply-threshold: 5000000
>
>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlt/8UgACgkQgHnw/2+Q
CQd1JBAAgbHWIFzbXOOcaiQHgzyi3gVeZ4tnV8sMx3Fm563dBU0f24BteOm6lYDl
nu9bqYIGsmIPBpc1Hweqjatc5bkU9NUH3YNCI5LSbu4a66r1wbHpFjpCZTwstufl
THO6BLsm2karfXezpxWi9U+Ug3E2KWMvBnnpdTWy4QfiOQXQttqVoeMOVKLwpaM0
5ExsdjNl7caneflXA3C2Igo1Om7H2+bWQ82TyCD8kjb/SBxuTVfFzACPmWVjUwt7
wmhZiBUpR5vDWkikv4j7AHmi2aT7SKkIGcQiOQvn+sMa/tAqys9B3H5kxXuQYBWs
DdqnIKVAOqk6EhxcDae6zthM+iKy5k5RCjxj6M4qUJXb14/b7LBecxZsiyI2rY1/
8LiUzlq5WnpH8Qkf4f8uV42JGMi4JoY+Tz3css3BWnOB/jN7muIXqTP2DaKv7/rE
weseImTTWftdIPtGlkg0ALMVuErHx0I5hmADfiYbjhJjSD8M9h0Ya7Mxlp5jXcvE
gCq2mrXJxltvJnoQm7GYoK+ivQp9mW/bF+vc0hF7DhtIdFP7lTh0nYQVDgkaMU4k
sAGGk+kovSqQIKuMcZYAjgw759aKVhEfJXNPMqUs7YcrN8lIq19a31vTToJLcEfW
bsopTQJhG9oAb+dWnjDMtICCxlnferRKTVvkbxoUIhe+Y2hYTZw=
=YbLO
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 2/3 v2] Unbound: Use caps for IDs
2018-08-19 18:11 [PATCH 2/3] Unbound: Use caps for IDs Peter Müller
2018-08-23 13:40 ` Michael Tremer
@ 2018-08-27 15:26 ` Peter Müller
1 sibling, 0 replies; 5+ messages in thread
From: Peter Müller @ 2018-08-27 15:26 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 876 bytes --]
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
random bits into upstream queries. Upstream documentation claims
it to be an experimental implementation, it did not cause any trouble
on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
further details.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
config/unbound/unbound.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index fa2ca3fd4..8b5d34ee3 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -59,7 +59,7 @@ server:
harden-below-nxdomain: yes
harden-referral-path: yes
harden-algo-downgrade: no
- use-caps-for-id: no
+ use-caps-for-id: yes
# Harden against DNS cache poisoning
unwanted-reply-threshold: 5000000
--
2.16.4
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-08-27 15:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-19 18:11 [PATCH 2/3] Unbound: Use caps for IDs Peter Müller
2018-08-23 13:40 ` Michael Tremer
2018-08-23 19:15 ` Peter Müller
2018-08-24 11:51 ` Michael Tremer
2018-08-27 15:26 ` [PATCH 2/3 v2] " Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox