By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning).
This sets the maximum number of tolerated unwanted replies to 1M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details. This version of the patch uses 1M as threshold instead of 5M and supersedes the first and second version.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/unbound/unbound.conf | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f7..ce9ddcd62 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -61,6 +61,9 @@ server: harden-algo-downgrade: no use-caps-for-id: no
+ # Harden against DNS cache poisoning + unwanted-reply-threshold: 1000000 + # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded random bits into upstream queries. Upstream documentation claims it to be an experimental implementation, it did not cause any trouble on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for further details.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/unbound/unbound.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index ce9ddcd62..6eaf70a8e 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -59,7 +59,7 @@ server: harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: no - use-caps-for-id: no + use-caps-for-id: yes
# Harden against DNS cache poisoning unwanted-reply-threshold: 1000000
This avoids some needless lookups to destination domains with a very high NXDOMAIN rate and reduces load on upstream servers.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for further details.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/unbound/unbound.conf | 1 + 1 file changed, 1 insertion(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 6eaf70a8e..cda591dab 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -60,6 +60,7 @@ server: harden-referral-path: yes harden-algo-downgrade: no use-caps-for-id: yes + aggressive-nsec: yes
# Harden against DNS cache poisoning unwanted-reply-threshold: 1000000
Merged!
On Mon, 2018-09-10 at 16:21 +0200, Peter Müller wrote:
By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning).
This sets the maximum number of tolerated unwanted replies to 1M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details. This version of the patch uses 1M as threshold instead of 5M and supersedes the first and second version.
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/unbound/unbound.conf | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f7..ce9ddcd62 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -61,6 +61,9 @@ server: harden-algo-downgrade: no use-caps-for-id: no
- # Harden against DNS cache poisoning
- unwanted-reply-threshold: 1000000
- # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0
-
Michael Tremer -
Peter Müller