Attempt to detect DNS spoofing attacks by inserting 0x20-encoded random bits into upstream queries. Upstream documentation claims it to be an experimental implementation, it did not cause any trouble on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for further details.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/unbound/unbound.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index fa2ca3fd4..8b5d34ee3 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -59,7 +59,7 @@ server: harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: no - use-caps-for-id: no + use-caps-for-id: yes
# Harden against DNS cache poisoning unwanted-reply-threshold: 5000000
This was deliberately not enabled because the documentation contains a warning about various incompatibilities with various other DNS servers.
Is there some sort of study saying that this can be safely enabled?
-Michael
On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote:
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded random bits into upstream queries. Upstream documentation claims it to be an experimental implementation, it did not cause any trouble on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for further details.
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/unbound/unbound.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index fa2ca3fd4..8b5d34ee3 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -59,7 +59,7 @@ server: harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: no
- use-caps-for-id: no
use-caps-for-id: yes
# Harden against DNS cache poisoning unwanted-reply-threshold: 5000000
Hello,
This was deliberately not enabled because the documentation contains a warning about various incompatibilities with various other DNS servers.
Yes, there are a lot of broken DNS servers out there...
Is there some sort of study saying that this can be safely enabled?
I know people operating DNS resolvers for > 30k customers with this setting enabled. They never experienced any issue with this so far. This is enabled on my systems too.
Currently, I am not aware of a public study.
Best regards, Peter Müller
-Michael
On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote:
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded random bits into upstream queries. Upstream documentation claims it to be an experimental implementation, it did not cause any trouble on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for further details.
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/unbound/unbound.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index fa2ca3fd4..8b5d34ee3 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -59,7 +59,7 @@ server: harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: no
- use-caps-for-id: no
use-caps-for-id: yes
# Harden against DNS cache poisoning unwanted-reply-threshold: 5000000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Okay, let's give it a try then.
On Thu, 2018-08-23 at 21:15 +0200, Peter Müller wrote:
Hello,
This was deliberately not enabled because the documentation contains a warning about various incompatibilities with various other DNS servers.
Yes, there are a lot of broken DNS servers out there...
Is there some sort of study saying that this can be safely enabled?
I know people operating DNS resolvers for > 30k customers with this setting enabled. They never experienced any issue with this so far. This is enabled on my systems too.
Currently, I am not aware of a public study.
Best regards, Peter Müller
-Michael
On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote:
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded random bits into upstream queries. Upstream documentation claims it to be an experimental implementation, it did not cause any trouble on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for further details.
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/unbound/unbound.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index fa2ca3fd4..8b5d34ee3 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -59,7 +59,7 @@ server: harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: no
- use-caps-for-id: no
use-caps-for-id: yes
# Harden against DNS cache poisoning unwanted-reply-threshold: 5000000
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded random bits into upstream queries. Upstream documentation claims it to be an experimental implementation, it did not cause any trouble on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for further details.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/unbound/unbound.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index fa2ca3fd4..8b5d34ee3 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -59,7 +59,7 @@ server: harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: no - use-caps-for-id: no + use-caps-for-id: yes
# Harden against DNS cache poisoning unwanted-reply-threshold: 5000000
-
Michael Tremer -
Peter Müller