From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Unbound configuration switch "ignore-cd-flag"
Date: Tue, 30 Oct 2018 15:51:22 +0100
Message-ID: <ff485f32-0205-e05e-9d29-8d49363faff1@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3073328906919786650=="
List-Id: <development.lists.ipfire.org>

--===============3073328906919786650==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello *,

while doing some research about DNS tunnelling, I stumbled across this
Unbound configuration directive: "ignore-cd-flag"

It is set to "no" as a default value, allowing DNSSEC validation bypass:

> user(a)machine:~> dig soa +cd dnssec-failed.org
>=20
> ; <<>> DiG 9.11.2 <<>> soa +cd dnssec-failed.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5844
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>=20
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;dnssec-failed.org.		IN	SOA
>=20
> ;; ANSWER SECTION:
> dnssec-failed.org.	8092	IN	SOA	dns101.comcast.org. dnsadmin.comcast.net. 20=
10101935 900 180 604800 7200
>=20
> ;; Query time: 1198 msec
> ;; SERVER: 10.[REDACTED]#53(10.[REDACTED])
> ;; WHEN: Tue Oct 30 15:49:53 CET 2018
> ;; MSG SIZE  rcvd: 117
>=20

I consider this being a security risk and would like to set this
value to "yes" in IPFire.

Thoughts? Opinions?

Thanks, and best regards,
Peter M=C3=BCller
--=20
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq

--===============3073328906919786650==--