Hello *,
while doing some research about DNS tunnelling, I stumbled across this Unbound configuration directive: "ignore-cd-flag"
It is set to "no" as a default value, allowing DNSSEC validation bypass:
user@machine:~> dig soa +cd dnssec-failed.org
; <<>> DiG 9.11.2 <<>> soa +cd dnssec-failed.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5844 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN SOA
;; ANSWER SECTION: dnssec-failed.org. 8092 IN SOA dns101.comcast.org. dnsadmin.comcast.net. 2010101935 900 180 604800 7200
;; Query time: 1198 msec ;; SERVER: 10.[REDACTED]#53(10.[REDACTED]) ;; WHEN: Tue Oct 30 15:49:53 CET 2018 ;; MSG SIZE rcvd: 117
I consider this being a security risk and would like to set this value to "yes" in IPFire.
Thoughts? Opinions?
Thanks, and best regards, Peter Müller
Hey,
sounds like a sensible proposal, but the help text says that Windows Server 2008 won't be able to resolve names any more. That is breaking quite a lot.
-Michael
On Tue, 2018-10-30 at 15:51 +0100, Peter Müller wrote:
Hello *,
while doing some research about DNS tunnelling, I stumbled across this Unbound configuration directive: "ignore-cd-flag"
It is set to "no" as a default value, allowing DNSSEC validation bypass:
user@machine:~> dig soa +cd dnssec-failed.org
; <<>> DiG 9.11.2 <<>> soa +cd dnssec-failed.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5844 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN SOA
;; ANSWER SECTION: dnssec-failed.org. 8092 IN SOA dns101.comcast.org. dnsadmin.comcast.net. 2010101935 900 180 604800 7200
;; Query time: 1198 msec ;; SERVER: 10.[REDACTED]#53(10.[REDACTED]) ;; WHEN: Tue Oct 30 15:49:53 CET 2018 ;; MSG SIZE rcvd: 117
I consider this being a security risk and would like to set this value to "yes" in IPFire.
Thoughts? Opinions?
Thanks, and best regards, Peter Müller
Hello Michael,
Hey,
sounds like a sensible proposal, but the help text says that Windows Server 2008 won't be able to resolve names any more. That is breaking quite a lot.
in my eyes the documentation is saying something different:
ignore-cd-flag: <yes or no> Instruct unbound to ignore the CD flag from clients and refuse to return bogus answers to them. Thus, the CD (Checking Dis- abled) flag does not disable checking any more. This is useful if legacy (w2008) servers that set the CD flag but cannot vali- date DNSSEC themselves are the clients, and then unbound pro- vides them with DNSSEC protection. The default value is "no".
This sounds like Windows Server 2008 indicate CD flag, but do not validate (Who needs DNS security, anyway?!) so Unbound passes unvalidated data to them. Enabling this would cause Unbound to answer SERVFAIL in case DNSSEC signatures mismatch, or something similar.
I think this feature can be safely enabled.
Thanks, and best regards, Peter Müller
-Michael
On Tue, 2018-10-30 at 15:51 +0100, Peter Müller wrote:
Hello *,
while doing some research about DNS tunnelling, I stumbled across this Unbound configuration directive: "ignore-cd-flag"
It is set to "no" as a default value, allowing DNSSEC validation bypass:
user@machine:~> dig soa +cd dnssec-failed.org
; <<>> DiG 9.11.2 <<>> soa +cd dnssec-failed.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5844 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN SOA
;; ANSWER SECTION: dnssec-failed.org. 8092 IN SOA dns101.comcast.org. dnsadmin.comcast.net. 2010101935 900 180 604800 7200
;; Query time: 1198 msec ;; SERVER: 10.[REDACTED]#53(10.[REDACTED]) ;; WHEN: Tue Oct 30 15:49:53 CET 2018 ;; MSG SIZE rcvd: 117
I consider this being a security risk and would like to set this value to "yes" in IPFire.
Thoughts? Opinions?
Thanks, and best regards, Peter Müller