[1/3,v3] Unbound: Enable DNS cache poisoning mitigation

Message ID d1ec23e3-6438-3c79-3ddc-08d08c92c34a@link38.eu
State Superseded
Headers
Series [1/3,v3] Unbound: Enable DNS cache poisoning mitigation |

Commit Message

Peter Müller Aug. 28, 2018, 1:29 a.m. UTC
  By default, Unbound neither keeps track of the number of unwanted
replies nor initiates countermeasures if they become too large (DNS
cache poisoning).

This sets the maximum number of tolerated unwanted replies to
1M, causing the cache to be flushed afterwards. (Upstream documentation
recommends 10M as a threshold, but this turned out to be ineffective
against attacks in the wild.)

See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
details. This version of the patch uses 1M as threshold instead of
5M and supersedes the first version.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/unbound/unbound.conf | 3 +++
 1 file changed, 3 insertions(+)
  

Comments

Michael Tremer Sept. 10, 2018, 2:46 a.m. UTC | #1
This patchset does not apply.

On Mon, 2018-08-27 at 17:29 +0200, Peter Müller wrote:
> By default, Unbound neither keeps track of the number of unwanted
> replies nor initiates countermeasures if they become too large (DNS
> cache poisoning).
> 
> This sets the maximum number of tolerated unwanted replies to
> 1M, causing the cache to be flushed afterwards. (Upstream documentation
> recommends 10M as a threshold, but this turned out to be ineffective
> against attacks in the wild.)
> 
> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
> details. This version of the patch uses 1M as threshold instead of
> 5M and supersedes the first version.
> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
>  config/unbound/unbound.conf | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> index 3f724d8f7..fa2ca3fd4 100644
> --- a/config/unbound/unbound.conf
> +++ b/config/unbound/unbound.conf
> @@ -61,6 +61,9 @@ server:
>  	harden-algo-downgrade: no
>  	use-caps-for-id: no
>  
> +	# Harden against DNS cache poisoning
> +	unwanted-reply-threshold: 1000000
> +
>  	# Listen on all interfaces
>  	interface-automatic: yes
>  	interface: 0.0.0.0
  
Peter Müller Sept. 10, 2018, 2:47 a.m. UTC | #2
Why?

> This patchset does not apply.
> 
> On Mon, 2018-08-27 at 17:29 +0200, Peter Müller wrote:
>> By default, Unbound neither keeps track of the number of unwanted
>> replies nor initiates countermeasures if they become too large (DNS
>> cache poisoning).
>>
>> This sets the maximum number of tolerated unwanted replies to
>> 1M, causing the cache to be flushed afterwards. (Upstream documentation
>> recommends 10M as a threshold, but this turned out to be ineffective
>> against attacks in the wild.)
>>
>> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
>> details. This version of the patch uses 1M as threshold instead of
>> 5M and supersedes the first version.
>>
>> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
>> ---
>>  config/unbound/unbound.conf | 3 +++
>>  1 file changed, 3 insertions(+)
>>
>> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
>> index 3f724d8f7..fa2ca3fd4 100644
>> --- a/config/unbound/unbound.conf
>> +++ b/config/unbound/unbound.conf
>> @@ -61,6 +61,9 @@ server:
>>  	harden-algo-downgrade: no
>>  	use-caps-for-id: no
>>  
>> +	# Harden against DNS cache poisoning
>> +	unwanted-reply-threshold: 1000000
>> +
>>  	# Listen on all interfaces
>>  	interface-automatic: yes
>>  	interface: 0.0.0.0
>
  
Michael Tremer Sept. 10, 2018, 2:50 a.m. UTC | #3
It just isn't a consecutive order of patches.

The first one has manually been changed and the rest of the branch wasn't
rebased. They came from another branch.

Build one branch and let git send-email do the work for you.

-Michael

On Sun, 2018-09-09 at 18:47 +0200, Peter Müller wrote:
> Why?
> 
> > This patchset does not apply.
> > 
> > On Mon, 2018-08-27 at 17:29 +0200, Peter Müller wrote:
> > > By default, Unbound neither keeps track of the number of unwanted
> > > replies nor initiates countermeasures if they become too large (DNS
> > > cache poisoning).
> > > 
> > > This sets the maximum number of tolerated unwanted replies to
> > > 1M, causing the cache to be flushed afterwards. (Upstream documentation
> > > recommends 10M as a threshold, but this turned out to be ineffective
> > > against attacks in the wild.)
> > > 
> > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
> > > details. This version of the patch uses 1M as threshold instead of
> > > 5M and supersedes the first version.
> > > 
> > > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > > ---
> > >  config/unbound/unbound.conf | 3 +++
> > >  1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> > > index 3f724d8f7..fa2ca3fd4 100644
> > > --- a/config/unbound/unbound.conf
> > > +++ b/config/unbound/unbound.conf
> > > @@ -61,6 +61,9 @@ server:
> > >  	harden-algo-downgrade: no
> > >  	use-caps-for-id: no
> > >  
> > > +	# Harden against DNS cache poisoning
> > > +	unwanted-reply-threshold: 1000000
> > > +
> > >  	# Listen on all interfaces
> > >  	interface-automatic: yes
> > >  	interface: 0.0.0.0
> 
>
  

Patch

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 3f724d8f7..fa2ca3fd4 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -61,6 +61,9 @@  server:
 	harden-algo-downgrade: no
 	use-caps-for-id: no
 
+	# Harden against DNS cache poisoning
+	unwanted-reply-threshold: 1000000
+
 	# Listen on all interfaces
 	interface-automatic: yes
 	interface: 0.0.0.0