From patchwork Tue Sep 11 00:21:24 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1918 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id 0D10C61DE2 for ; Mon, 10 Sep 2018 16:21:37 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id BDE3810A14A5; Mon, 10 Sep 2018 15:21:36 +0100 (BST) Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [IPv6:2a03:4000:6:432c:1f9e:48:ac3:199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id C9CAE109EBA3 for ; Mon, 10 Sep 2018 15:21:29 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1536589287; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=gXgMPN9TtGJV8xx/j+pKkTa/A+VzgwtFrzlZ6KDRyTE=; b=ZuYcDGoWXq/OBgXQylgiToN/g6xAcTUU9wzOahllz1L+4Tuv74UO3LantuzkmsEkePQtap Dyk+tZQJQ4kZ1M0buykfM38xTAEKXbsaQBZR7VMlYh79rRWSj+MYc/OzimVVkpWu6NzCtO dww48LRw/tGWizNcS1qJ8vw7eoMoEJJy3Ri4DRV7IUeZVmewxHZR+y/quDLRsbWRqQXpo3 pUlVx6mShUwtdOl3GX8R/+Q1FzhIXHDaQxhpi5wKOma42oTkHFl7orebBdpfOFmBHUCriO J062MPbJm++4dXCu/t2F/Qp0V5LbXJcLlcmbKLILgWNtFfCmla4FJE0F8gFi/Q== From: =?utf-8?q?Peter_M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH v4 1/3] Unbound: Enable DNS cache poisoning mitigation Date: Mon, 10 Sep 2018 16:21:24 +0200 Message-Id: <20180910142126.5265-1-peter.mueller@link38.eu> MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; dkim=pass header.d=link38.eu; dmarc=pass (policy=none) header.from=link38.eu; spf=pass smtp.mailfrom=peter.mueller@link38.eu X-Spamd-Result: default: False [-11.54 / 11.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[link38.eu]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a03:4000:6:432c:1f9e:48:ac3:199]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[link38.eu:+]; RCVD_IN_DNSWL_MED(-2.00)[9.9.1.0.3.c.a.0.8.4.0.0.e.9.f.1.c.2.3.4.6.0.0.0.0.0.0.4.3.0.a.2.list.dnswl.org : 127.0.6.2]; MID_CONTAINS_FROM(1.00)[]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none]; NEURAL_HAM(-3.00)[-1.000,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-3.78)[ip: (-9.90), ipnet: 2a03:4000::/32(-4.95), asn: 197540(-3.96), country: DE(-0.09)]; ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-11.54 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning). This sets the maximum number of tolerated unwanted replies to 1M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.) See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details. This version of the patch uses 1M as threshold instead of 5M and supersedes the first and second version. Signed-off-by: Peter Müller --- config/unbound/unbound.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f7..ce9ddcd62 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -61,6 +61,9 @@ server: harden-algo-downgrade: no use-caps-for-id: no + # Harden against DNS cache poisoning + unwanted-reply-threshold: 1000000 + # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0