By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning).
This sets the maximum number of tolerated unwanted replies to 1M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details. This version of the patch uses 1M as threshold instead of 5M and supersedes the first version.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/unbound/unbound.conf | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f7..fa2ca3fd4 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -61,6 +61,9 @@ server: harden-algo-downgrade: no use-caps-for-id: no
+ # Harden against DNS cache poisoning + unwanted-reply-threshold: 1000000 + # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
This is only one patch of the whole patchset...
On Sun, 2018-08-26 at 20:34 +0200, Peter Müller wrote:
By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning).
This sets the maximum number of tolerated unwanted replies to 1M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details. This version of the patch uses 1M as threshold instead of 5M and supersedes the first version.
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/unbound/unbound.conf | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f7..fa2ca3fd4 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -61,6 +61,9 @@ server: harden-algo-downgrade: no use-caps-for-id: no
- # Harden against DNS cache poisoning
- unwanted-reply-threshold: 1000000
- # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0
Yes, sorry. Submitted the whole thing again (without PGP the second time). Please merge version 4 of the patchset. :-\
Best regards, Peter Müller
This is only one patch of the whole patchset...
On Sun, 2018-08-26 at 20:34 +0200, Peter Müller wrote:
By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning).
This sets the maximum number of tolerated unwanted replies to 1M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details. This version of the patch uses 1M as threshold instead of 5M and supersedes the first version.
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/unbound/unbound.conf | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f7..fa2ca3fd4 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -61,6 +61,9 @@ server: harden-algo-downgrade: no use-caps-for-id: no
- # Harden against DNS cache poisoning
- unwanted-reply-threshold: 1000000
- # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0
The list has only received v3...
On Mon, 2018-08-27 at 17:45 +0200, Peter Müller wrote:
Yes, sorry. Submitted the whole thing again (without PGP the second time). Please merge version 4 of the patchset. :-\
Best regards, Peter Müller
This is only one patch of the whole patchset...
On Sun, 2018-08-26 at 20:34 +0200, Peter Müller wrote:
By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning). This sets the maximum number of tolerated unwanted replies to 1M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.) See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details. This version of the patch uses 1M as threshold instead of 5M and supersedes the first version. Signed-off-by: Peter Müller peter.mueller@link38.eu
config/unbound/unbound.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f7..fa2ca3fd4 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -61,6 +61,9 @@ server: harden-algo-downgrade: no use-caps-for-id: no
- # Harden against DNS cache poisoning
- unwanted-reply-threshold: 1000000
- # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0
I'm sorry, v3 is what I meant here...
The list has only received v3...
On Mon, 2018-08-27 at 17:45 +0200, Peter Müller wrote:
Yes, sorry. Submitted the whole thing again (without PGP the second time). Please merge version 4 of the patchset. :-\
Best regards, Peter Müller
This is only one patch of the whole patchset... [snip]--
Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq
-
Michael Tremer -
Peter Müller