Attempt to detect DNS spoofing attacks by inserting 0x20-encoded random bits into upstream queries. Upstream documentation claims it to be an experimental implementation, it did not cause any trouble on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for further details.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/unbound/unbound.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index fa2ca3fd4..8b5d34ee3 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -59,7 +59,7 @@ server: harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: no - use-caps-for-id: no + use-caps-for-id: yes
# Harden against DNS cache poisoning unwanted-reply-threshold: 5000000
-
Peter Müller