By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning).
This sets the maximum number of tolerated unwanted replies to 5M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/unbound/unbound.conf | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f7..fa2ca3fd4 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -61,6 +61,9 @@ server: harden-algo-downgrade: no use-caps-for-id: no
+ # Harden against DNS cache poisoning + unwanted-reply-threshold: 5000000 + # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0
Do you have any reference for this?
On Sun, 2018-08-19 at 20:08 +0200, Peter Müller wrote:
By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning).
This sets the maximum number of tolerated unwanted replies to 5M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details.
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/unbound/unbound.conf | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f7..fa2ca3fd4 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -61,6 +61,9 @@ server: harden-algo-downgrade: no use-caps-for-id: no
- # Harden against DNS cache poisoning
- unwanted-reply-threshold: 5000000
- # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0
Well, some people consider 10k a good value for this: https://calomel.org/unbound_dns.html
Not sure if this is actually too low. During some attacks, 5M was satisfying here, but I did not dig into thresholds deeper. Simulated attacks did not show a unique behaviour, and their real value is questionable in my point of view.
What do you propose for the value? 1M or 100k?
Best regards, Peter Müller
Do you have any reference for this?
On Sun, 2018-08-19 at 20:08 +0200, Peter Müller wrote:
By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning).
This sets the maximum number of tolerated unwanted replies to 5M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details.
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/unbound/unbound.conf | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f7..fa2ca3fd4 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -61,6 +61,9 @@ server: harden-algo-downgrade: no use-caps-for-id: no
- # Harden against DNS cache poisoning
- unwanted-reply-threshold: 5000000
- # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
1M sounds good.
This should never become a problem for zones that use DNSSEC.
On Thu, 2018-08-23 at 21:22 +0200, Peter Müller wrote:
Well, some people consider 10k a good value for this: https://calomel.org/unbound_dns.html
Not sure if this is actually too low. During some attacks, 5M was satisfying here, but I did not dig into thresholds deeper. Simulated attacks did not show a unique behaviour, and their real value is questionable in my point of view.
What do you propose for the value? 1M or 100k?
Best regards, Peter Müller
Do you have any reference for this?
On Sun, 2018-08-19 at 20:08 +0200, Peter Müller wrote:
By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning).
This sets the maximum number of tolerated unwanted replies to 5M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details.
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/unbound/unbound.conf | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f7..fa2ca3fd4 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -61,6 +61,9 @@ server: harden-algo-downgrade: no use-caps-for-id: no
- # Harden against DNS cache poisoning
- unwanted-reply-threshold: 5000000
- # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0
Hello Michael,
could you merge the series with the second version of this patch then?
Thanks, and best regards, Peter Müller
1M sounds good.
This should never become a problem for zones that use DNSSEC.
On Thu, 2018-08-23 at 21:22 +0200, Peter Müller wrote:
Well, some people consider 10k a good value for this: https://calomel.org/unbound_dns.html
Not sure if this is actually too low. During some attacks, 5M was satisfying here, but I did not dig into thresholds deeper. Simulated attacks did not show a unique behaviour, and their real value is questionable in my point of view.
What do you propose for the value? 1M or 100k?
Best regards, Peter Müller
[snip]
-
Michael Tremer -
Peter Müller