Message ID | 96863f17-bb80-2cdc-cb55-2ca06a9cc673@link38.eu |
---|---|
State | Superseded |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.ipfire.org [IPv6:2001:470:7183:25::1]) by web02.i.ipfire.org (Postfix) with ESMTP id 27FE460B42 for <patchwork@web02.i.ipfire.org>; Sun, 19 Aug 2018 20:08:45 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 92377112692A; Sun, 19 Aug 2018 19:08:44 +0100 (BST) Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [37.120.167.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 78E801126923 for <development@lists.ipfire.org>; Sun, 19 Aug 2018 19:08:41 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1534702118; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=f3dgiOR6pwI9v2ovHQ1cHbax7OofF7lq6isLuWoefjc=; b=7ZVhi1M3T1k1YHU6hwiX/MfnLnsqmue5Hucpzn1PVBxm6ZSRAswN0G8geBaPd89C6Y1dkL Nks4NDG3elC2JEUgp21Z4wdUzRmfwDM6LwjPhJhrKRFbBXGBUp97byfvss+8uSTZ4rvC7K dlPcdNpAiIHQn1Fmbgb4hAhaGviMz6pDh0mIr8DWgwAXrdLu6Xwc9lmO3EcT48tLHeZyuV uS2TcxGudABMpLxfNDGPHlCj88Nn5vVs8mSqwI1Xc/WwhnOOhkd7gKNqCSp+4ciMsv2Tf/ DNJG1s+0oBpxCgJAVZyYoSrl6Svd7E0JFrBGMDlpIC0lLHCKZq2IHmw24mG7lA== To: "ipfire: Development-List" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu> Openpgp: preference=signencrypt Autocrypt: addr=peter.mueller@link38.eu; prefer-encrypt=mutual; keydata= xsFNBFrlh/UBEADDNM0LnM9+1NhjgfIz7Ww9Hlx6egK75TJoVa/S9gjI+3DeXn7hsj7vZnQz qSXMhSauU7k4g+F+MmOJP2HRIl0lEo/JNrpAqrAseSnbJp4eq8OTyAL6+Z3SVNJNbcRDOHmw jb/GR8ncURcgYDYV+oCs4csrghtBnm4cWaD/RW10zlB4nQsqQ5G3jzY9aIM+NKRHSAZEbXBZ W6pyDcGRMkwSFTHXpjtFDZ6mVEMxi1nv2W8PMU+uGbs3ud4gzPZ0tT5ICR8bp71qpua4r4RQ o6rB/suiPOptOE5/rk8FiW3ho0y1xDu7bRx8UzdLS9cYCVeSvf9n9YZ6RGOH9O7dS23zfTkS 8iqYol1PmVZrNtpsWBCq4HzFtRJPs6gykFNfj2sVQXU3RHHf2ui0OKm3R0olhLVbKSw2qSPM ajP1vBuVLEMSJmucxlJQ72Im/afnOz3LlNt+/FOB0zneoKGvPpPGSP/Fr5FJYED6/l1DZl2W 8Wb76xq3HGfETHW9kwwqbbQefMu6LNQIw9CnTpSk/R9mt7AnIrKCjxfclLDfz6VBJ0grRDDF PBEVBrj7uZM0UCl/dUX0adjDxBfma/UJZcBlDVX61+41vsX6w094sveKaNdqybAIxqGnhRUq kCHm5P/IYOZrtkao/TsRIW508MJBGmxoUl2qqCj7tXtNy2tiUQARAQABzSdQZXRlciBNw7xs bGVyIDxwZXRlci5tdWVsbGVyQGxpbmszOC5ldT7CwX8EEwECACkFAlrlh/UCGyMFCQlmAYAH CwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZSPIPfXufaDlVD/0elAwSohcC4T5jFtPt hZ1+jU9t46pwBhQ8ohKpo4/wAuVBg5B0FYb0gegcSicYWsNkhTtCjUhExMilLKTaJir5l+3V B/rU/WG7NgLYqmYsGlgHPXdLZAbOMU/0atONFYos1UZnRGmPfhLwRw3g5TBaKrfqaFBzRABE W0R+XuRoXy9ho+lNP5g0Sa+SxtOeBpLQxppObk5WLUqDKxrvHhStgM3PrJASKujsJiw19IUg ws0q+WezH8LPQd3Vc8DP56sl1/h8w2Xklsdxj1NEcO7OIrrKSNIRGyqgqvtmDi6dxh1suGUW Par/VhB+P+u0yVy8H1lZ4SFUsZJFPwHNFSN41USmT/uHf9Z7K1+qXm4zpyexrDQ+ojuXxnB1 y97cHYcYaCZ2Bo+deljXng1NF0I3CdIdhPfLv7FHRBoBw1xs0qJjUfTfSAZsYD0H/jl76bRx 4s8rrECqM7pMnE4aLiP4m6gKJKooH8QAQsmGRYAI8gG/BIHPHZUpZ8J2jRnj6GQ1MpEdcnLE Q0N7QMayDoPq177es7tey5vzofq3bDGW/O9yqUWiz3e7uaGSQnYoRGm2oCCTojvGt37yS0H8 v+ms2fokPNt8UDmpZoLFFPXDwVcnL/KBkPY665xchatKpBOtJ3lRnXdlyRJW1gGda9G5mGFn xLcWumkZ12YKmtixuM7BTQRa5Yf1ARAA4UCkVBvQhks9lApBxvfZ8ekWrticMooBkegL+KQT TPWQHTgdwkFzSneaRq0vFFcgKxmXA54OmT58y0tf09hUvTGK4COs5GTZKP/SYSWZM6xOQqaT 37fros/ma4iSS+IJw/eDh7bWKM5gllz0EuoewaTveGDWeucf7V36mRUPG47GsNk/PgCRsO5Y SLlpfT/3xH02aRnUmWjzHCkJ9EV388cIWaYo9kP4q9rbcl3IyHP0t78XpIIWH6+o/I0FgzwL GJBdJ0eAE3PNIRGYu8nqYlJ+TIpcIrEPitma6nZtiWAITRO2XDb/2o05tUlEbmlN6dUOqM7X Jvj/Z9KkYNgvYNbHXqXJ+j5gzcq0DR7DtDSDnd1WDrYivQMGBDnZR2YfFjBEsmeArdmDTZqY aqYhBN3iMCI9cErZgik6Niz6jrqBMK98geB04vrqZUYprh7zXgPu0A/EwTIJuZ+GGeEKwMVL pBc2NGxUb/kt8nr1JHAnSludD78EW6QVdpcgO4DhHxzhdDk/L8yE53b5UdvXwad5N4T1QS/Y kk80nByinD4vaIIHti9nOvLQJAro1p997YnVeY0wQ2x14Qw1rqeCOeKqB8PxmHvSK6b+nXLg Dv7HuFLovIeQd/IimGLXBDW4Bkn60HApJ5KcX+GwHp5XqPRKPmtjfMsETZn1ESjyc3sAEQEA AcLBZQQYAQIADwUCWuWH9QIbDAUJCWYBgAAKCRDZSPIPfXufaBRaEACMS5Q1BY/O5o+Vn8lD uMUczEVk/8j07gi1EV2ffutwZ5eYrKvXkuoMPEBb7SWqPUKqpTbw1pNjUf5002c2xm2r/OSZ oQMRWDztht+EMhjy0qkixMV+TvS6DcFPb8sd+KOoIBD08EBVUxpeNhAFxaRjGEDboJUwtDAd EDUJts5HnXvBqEcnkOfkwDSUWf9epa1mbyO1sO5NnMtxQY6paB2UGQPNE5/J3eo4f5s4wrxR AaM6OCCOtJxs4u0svmOCwd0D8LQ6higBq+EFesc57ZpG3pkNokrROFWRpx6OpQJUnYi5lWm8 +4xF99QfI9mHIz+jrnPcsfAiKdXb8QkeaDkR7bIU269wwKupfN6bHsKFtOnx7AhMLUddzTHA hTe8cov/tnn5xPvSZhpfknOBx+mffNQBsCETuCxPMqtDN5xFuwBxw4ZKZpKYFk/FUl6As1z4 LY2tNXb/JI58fGiLreunuvxsEkb97hmly1e19IPOTJzawB/aKRQNpIkoE11UBhKyc+kwIfVo ZCTlp+3hpBFqxEjRReSQUKKb9hA4yP3j90Fb353JbNKf9+Y3UtFPJb67koDOGtbJsk19bzPE zO0j/ek+eXxTIf5NxURVuzY6yvg57ZzW7T/tApT/LLfMEmuYz/LiijgON0uTOSp8KflwAt8m eNtEia+FigGVqn+PSQ== Subject: [PATCH 1/3] Unbound: Enable DNS cache poisoning mitigation Message-ID: <96863f17-bb80-2cdc-cb55-2ca06a9cc673@link38.eu> Date: Sun, 19 Aug 2018 20:08:33 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; dkim=pass header.d=link38.eu; dmarc=pass (policy=none) header.from=link38.eu; spf=pass smtp.mailfrom=peter.mueller@link38.eu X-Spamd-Result: default: False [-9.54 / 11.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[link38.eu]; BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:37.120.167.53]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[link38.eu:+]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; RCVD_IN_DNSWL_MED(-2.00)[53.167.120.37.list.dnswl.org : 127.0.6.2]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-3.78)[ip: (-9.91), ipnet: 37.120.160.0/19(-4.96), asn: 197540(-3.96), country: DE(-0.09)]; ASN(0.00)[asn:197540, ipnet:37.120.160.0/19, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-9.54 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[1/3] Unbound: Enable DNS cache poisoning mitigation
|
|
Commit Message
Peter Müller
Aug. 20, 2018, 4:08 a.m. UTC
By default, Unbound neither keeps track of the number of unwanted
replies nor initiates countermeasures if they become too large (DNS
cache poisoning).
This sets the maximum number of tolerated unwanted replies to
5M, causing the cache to be flushed afterwards. (Upstream documentation
recommends 10M as a threshold, but this turned out to be ineffective
against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
details.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
config/unbound/unbound.conf | 3 +++
1 file changed, 3 insertions(+)
Comments
Do you have any reference for this? On Sun, 2018-08-19 at 20:08 +0200, Peter Müller wrote: > By default, Unbound neither keeps track of the number of unwanted > replies nor initiates countermeasures if they become too large (DNS > cache poisoning). > > This sets the maximum number of tolerated unwanted replies to > 5M, causing the cache to be flushed afterwards. (Upstream documentation > recommends 10M as a threshold, but this turned out to be ineffective > against attacks in the wild.) > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for > details. > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > --- > config/unbound/unbound.conf | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf > index 3f724d8f7..fa2ca3fd4 100644 > --- a/config/unbound/unbound.conf > +++ b/config/unbound/unbound.conf > @@ -61,6 +61,9 @@ server: > harden-algo-downgrade: no > use-caps-for-id: no > > + # Harden against DNS cache poisoning > + unwanted-reply-threshold: 5000000 > + > # Listen on all interfaces > interface-automatic: yes > interface: 0.0.0.0
Well, some people consider 10k a good value for this: https://calomel.org/unbound_dns.html Not sure if this is actually too low. During some attacks, 5M was satisfying here, but I did not dig into thresholds deeper. Simulated attacks did not show a unique behaviour, and their real value is questionable in my point of view. What do you propose for the value? 1M or 100k? Best regards, Peter Müller > Do you have any reference for this? > > On Sun, 2018-08-19 at 20:08 +0200, Peter Müller wrote: >> By default, Unbound neither keeps track of the number of unwanted >> replies nor initiates countermeasures if they become too large (DNS >> cache poisoning). >> >> This sets the maximum number of tolerated unwanted replies to >> 5M, causing the cache to be flushed afterwards. (Upstream documentation >> recommends 10M as a threshold, but this turned out to be ineffective >> against attacks in the wild.) >> >> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for >> details. >> >> Signed-off-by: Peter Müller <peter.mueller@link38.eu> >> --- >> config/unbound/unbound.conf | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf >> index 3f724d8f7..fa2ca3fd4 100644 >> --- a/config/unbound/unbound.conf >> +++ b/config/unbound/unbound.conf >> @@ -61,6 +61,9 @@ server: >> harden-algo-downgrade: no >> use-caps-for-id: no >> >> + # Harden against DNS cache poisoning >> + unwanted-reply-threshold: 5000000 >> + >> # Listen on all interfaces >> interface-automatic: yes >> interface: 0.0.0.0 >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 1M sounds good. This should never become a problem for zones that use DNSSEC. On Thu, 2018-08-23 at 21:22 +0200, Peter Müller wrote: > Well, some people consider 10k a good value for this: > https://calomel.org/unbound_dns.html > > Not sure if this is actually too low. During some attacks, 5M > was satisfying here, but I did not dig into thresholds deeper. > Simulated attacks did not show a unique behaviour, and their > real value is questionable in my point of view. > > What do you propose for the value? 1M or 100k? > > Best regards, > Peter Müller > > > Do you have any reference for this? > > > > On Sun, 2018-08-19 at 20:08 +0200, Peter Müller wrote: > > > By default, Unbound neither keeps track of the number of unwanted > > > replies nor initiates countermeasures if they become too large (DNS > > > cache poisoning). > > > > > > This sets the maximum number of tolerated unwanted replies to > > > 5M, causing the cache to be flushed afterwards. (Upstream documentation > > > recommends 10M as a threshold, but this turned out to be ineffective > > > against attacks in the wild.) > > > > > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for > > > details. > > > > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > > > --- > > > config/unbound/unbound.conf | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf > > > index 3f724d8f7..fa2ca3fd4 100644 > > > --- a/config/unbound/unbound.conf > > > +++ b/config/unbound/unbound.conf > > > @@ -61,6 +61,9 @@ server: > > > harden-algo-downgrade: no > > > use-caps-for-id: no > > > > > > + # Harden against DNS cache poisoning > > > + unwanted-reply-threshold: 5000000 > > > + > > > # Listen on all interfaces > > > interface-automatic: yes > > > interface: 0.0.0.0 > > -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlt/8XgACgkQgHnw/2+Q CQeSQQ//daMiyWwZlgKKtYoZdByad2MJI+PkDCxJtGbUPfgEkYuo0TgMncmKs8lQ HLX6nGl/Ligl35ggFLtiXWMnpop1uwIV59LkEbXaTInRWWL/nGjvLguhxRnSQOE3 erLjUNo/ZyBNZmQlYo621Zlk3Ph9m3jmHy8ubVq2IxE025qClO2S7e6Udd5yna2b NM7RBM/ietL2v/UJZAsBu9RozTo1oR7ZgjW5L0xAJmWQ/DDEBfDYejJ60k2lNEOt eMLw+BTl/Os86efAZtVzJ/g9U4jYse8DrRurFhGXDC6h4hEHr5Rw6WWt1SjinUGC uUBY8N5fuptRD7Z1dtsG4RyXnsqy7UMr+YL5wRZL+qiDRc3xnVVjNcnYy43V+vM3 EH1uIMQ4gkGP3b9YXTBuTIpf1Tj26jywjjFiljnWreUhQEW/dORk5l6WEAELUH+L s9Zyip8sLcZPaeM+iVerFd1DZA+BnpPW90NQo0tqqyVqMZrGukTXyrQZmU5ZC+Zz oQuVn70IUVz746AV8RP+qMvQ2FJlQasWjOqCIkMgaN+kfPq1M5dKiiU/s29ICL13 6Ud16Aa22p79tSCIaBuqr1e+ja1ZsKq92+4H186WuARpQSHFxoo6uGrZaJBW9R0W acLBenD0D/TRxqA05YbCM11o5xv7UCrUBPyweyGUkrbnVI5Do9c= =U20w -----END PGP SIGNATURE-----
Hello Michael, could you merge the series with the second version of this patch then? Thanks, and best regards, Peter Müller > 1M sounds good. > > This should never become a problem for zones that use DNSSEC. > > On Thu, 2018-08-23 at 21:22 +0200, Peter Müller wrote: >> Well, some people consider 10k a good value for this: >> https://calomel.org/unbound_dns.html > >> Not sure if this is actually too low. During some attacks, 5M >> was satisfying here, but I did not dig into thresholds deeper. >> Simulated attacks did not show a unique behaviour, and their >> real value is questionable in my point of view. > >> What do you propose for the value? 1M or 100k? > >> Best regards, >> Peter Müller > [snip]
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f7..fa2ca3fd4 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -61,6 +61,9 @@ server: harden-algo-downgrade: no use-caps-for-id: no + # Harden against DNS cache poisoning + unwanted-reply-threshold: 5000000 + # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0