* Unbound configuration switch "ignore-cd-flag"
@ 2018-10-30 14:51 Peter Müller
2018-10-30 15:50 ` Michael Tremer
0 siblings, 1 reply; 2+ messages in thread
From: Peter Müller @ 2018-10-30 14:51 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1263 bytes --]
Hello *,
while doing some research about DNS tunnelling, I stumbled across this
Unbound configuration directive: "ignore-cd-flag"
It is set to "no" as a default value, allowing DNSSEC validation bypass:
> user(a)machine:~> dig soa +cd dnssec-failed.org
>
> ; <<>> DiG 9.11.2 <<>> soa +cd dnssec-failed.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5844
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;dnssec-failed.org. IN SOA
>
> ;; ANSWER SECTION:
> dnssec-failed.org. 8092 IN SOA dns101.comcast.org. dnsadmin.comcast.net. 2010101935 900 180 604800 7200
>
> ;; Query time: 1198 msec
> ;; SERVER: 10.[REDACTED]#53(10.[REDACTED])
> ;; WHEN: Tue Oct 30 15:49:53 CET 2018
> ;; MSG SIZE rcvd: 117
>
I consider this being a security risk and would like to set this
value to "yes" in IPFire.
Thoughts? Opinions?
Thanks, and best regards,
Peter Müller
--
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made. Fix Information: Run your DNS
service on a different platform.
-- bugtraq
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Unbound configuration switch "ignore-cd-flag"
2018-10-30 14:51 Unbound configuration switch "ignore-cd-flag" Peter Müller
@ 2018-10-30 15:50 ` Michael Tremer
0 siblings, 0 replies; 2+ messages in thread
From: Michael Tremer @ 2018-10-30 15:50 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1381 bytes --]
Hey,
sounds like a sensible proposal, but the help text says that Windows Server 2008
won't be able to resolve names any more. That is breaking quite a lot.
-Michael
On Tue, 2018-10-30 at 15:51 +0100, Peter Müller wrote:
> Hello *,
>
> while doing some research about DNS tunnelling, I stumbled across this
> Unbound configuration directive: "ignore-cd-flag"
>
> It is set to "no" as a default value, allowing DNSSEC validation bypass:
>
> > user(a)machine:~> dig soa +cd dnssec-failed.org
> >
> > ; <<>> DiG 9.11.2 <<>> soa +cd dnssec-failed.org
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5844
> > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ;; QUESTION SECTION:
> > ;dnssec-failed.org. IN SOA
> >
> > ;; ANSWER SECTION:
> > dnssec-failed.org. 8092 IN SOA dns101.comcast.org.
> > dnsadmin.comcast.net. 2010101935 900 180 604800 7200
> >
> > ;; Query time: 1198 msec
> > ;; SERVER: 10.[REDACTED]#53(10.[REDACTED])
> > ;; WHEN: Tue Oct 30 15:49:53 CET 2018
> > ;; MSG SIZE rcvd: 117
> >
>
> I consider this being a security risk and would like to set this
> value to "yes" in IPFire.
>
> Thoughts? Opinions?
>
> Thanks, and best regards,
> Peter Müller
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-10-30 15:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-30 14:51 Unbound configuration switch "ignore-cd-flag" Peter Müller
2018-10-30 15:50 ` Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox