| Message ID | c9d3419f-5ca9-bcfa-9e01-7047025af279@link38.eu |
|---|---|
| State | Superseded |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id 8F4AA60B42 for <patchwork@web02.i.ipfire.org>; Sun, 19 Aug 2018 20:11:41 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 391CE112692A; Sun, 19 Aug 2018 19:11:41 +0100 (BST) Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [IPv6:2a03:4000:6:432c:1f9e:48:ac3:199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 3E80E1126923 for <development@lists.ipfire.org>; Sun, 19 Aug 2018 19:11:38 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1534702300; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=yW6U57FL8lOZMrXTYdYR3ZIoHJSxQrfWgRCs/2I8vRw=; b=lFaWUAyEuXtMY5VZSVV9hoKJ8yMlkzCkBJ8gu4+IzyImhg91skjsXLGWR5G55rztiRQadJ 6c5KEwW7I5caVbZBUDqptAoKga1htc8VJkgyAVC2zHH7y4smlSXThJ4QpY92D9rAy4rkwP ez1Lhxoom3+zWCItLnvs12OODqTllaLvaAsr6TF+3jnE/XAZdL1VTIJtjQaM3uIh9KM52f Yjhv4Wd5PWhbai60ly8x9jomgGluNNKAF9zP25wXF5KwDKaZlogyhEHGZRH5CWTig9+1gJ W4GFDsDlJ6sjKL+OQmNvlxMWLmTkRylYKevsl0un9Oh0wY9/9xht5KajxwjV/w== To: "ipfire: Development-List" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu> Openpgp: preference=signencrypt Autocrypt: addr=peter.mueller@link38.eu; prefer-encrypt=mutual; keydata= xsFNBFrlh/UBEADDNM0LnM9+1NhjgfIz7Ww9Hlx6egK75TJoVa/S9gjI+3DeXn7hsj7vZnQz qSXMhSauU7k4g+F+MmOJP2HRIl0lEo/JNrpAqrAseSnbJp4eq8OTyAL6+Z3SVNJNbcRDOHmw jb/GR8ncURcgYDYV+oCs4csrghtBnm4cWaD/RW10zlB4nQsqQ5G3jzY9aIM+NKRHSAZEbXBZ W6pyDcGRMkwSFTHXpjtFDZ6mVEMxi1nv2W8PMU+uGbs3ud4gzPZ0tT5ICR8bp71qpua4r4RQ o6rB/suiPOptOE5/rk8FiW3ho0y1xDu7bRx8UzdLS9cYCVeSvf9n9YZ6RGOH9O7dS23zfTkS 8iqYol1PmVZrNtpsWBCq4HzFtRJPs6gykFNfj2sVQXU3RHHf2ui0OKm3R0olhLVbKSw2qSPM ajP1vBuVLEMSJmucxlJQ72Im/afnOz3LlNt+/FOB0zneoKGvPpPGSP/Fr5FJYED6/l1DZl2W 8Wb76xq3HGfETHW9kwwqbbQefMu6LNQIw9CnTpSk/R9mt7AnIrKCjxfclLDfz6VBJ0grRDDF PBEVBrj7uZM0UCl/dUX0adjDxBfma/UJZcBlDVX61+41vsX6w094sveKaNdqybAIxqGnhRUq kCHm5P/IYOZrtkao/TsRIW508MJBGmxoUl2qqCj7tXtNy2tiUQARAQABzSdQZXRlciBNw7xs bGVyIDxwZXRlci5tdWVsbGVyQGxpbmszOC5ldT7CwX8EEwECACkFAlrlh/UCGyMFCQlmAYAH CwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZSPIPfXufaDlVD/0elAwSohcC4T5jFtPt hZ1+jU9t46pwBhQ8ohKpo4/wAuVBg5B0FYb0gegcSicYWsNkhTtCjUhExMilLKTaJir5l+3V B/rU/WG7NgLYqmYsGlgHPXdLZAbOMU/0atONFYos1UZnRGmPfhLwRw3g5TBaKrfqaFBzRABE W0R+XuRoXy9ho+lNP5g0Sa+SxtOeBpLQxppObk5WLUqDKxrvHhStgM3PrJASKujsJiw19IUg ws0q+WezH8LPQd3Vc8DP56sl1/h8w2Xklsdxj1NEcO7OIrrKSNIRGyqgqvtmDi6dxh1suGUW Par/VhB+P+u0yVy8H1lZ4SFUsZJFPwHNFSN41USmT/uHf9Z7K1+qXm4zpyexrDQ+ojuXxnB1 y97cHYcYaCZ2Bo+deljXng1NF0I3CdIdhPfLv7FHRBoBw1xs0qJjUfTfSAZsYD0H/jl76bRx 4s8rrECqM7pMnE4aLiP4m6gKJKooH8QAQsmGRYAI8gG/BIHPHZUpZ8J2jRnj6GQ1MpEdcnLE Q0N7QMayDoPq177es7tey5vzofq3bDGW/O9yqUWiz3e7uaGSQnYoRGm2oCCTojvGt37yS0H8 v+ms2fokPNt8UDmpZoLFFPXDwVcnL/KBkPY665xchatKpBOtJ3lRnXdlyRJW1gGda9G5mGFn xLcWumkZ12YKmtixuM7BTQRa5Yf1ARAA4UCkVBvQhks9lApBxvfZ8ekWrticMooBkegL+KQT TPWQHTgdwkFzSneaRq0vFFcgKxmXA54OmT58y0tf09hUvTGK4COs5GTZKP/SYSWZM6xOQqaT 37fros/ma4iSS+IJw/eDh7bWKM5gllz0EuoewaTveGDWeucf7V36mRUPG47GsNk/PgCRsO5Y SLlpfT/3xH02aRnUmWjzHCkJ9EV388cIWaYo9kP4q9rbcl3IyHP0t78XpIIWH6+o/I0FgzwL GJBdJ0eAE3PNIRGYu8nqYlJ+TIpcIrEPitma6nZtiWAITRO2XDb/2o05tUlEbmlN6dUOqM7X Jvj/Z9KkYNgvYNbHXqXJ+j5gzcq0DR7DtDSDnd1WDrYivQMGBDnZR2YfFjBEsmeArdmDTZqY aqYhBN3iMCI9cErZgik6Niz6jrqBMK98geB04vrqZUYprh7zXgPu0A/EwTIJuZ+GGeEKwMVL pBc2NGxUb/kt8nr1JHAnSludD78EW6QVdpcgO4DhHxzhdDk/L8yE53b5UdvXwad5N4T1QS/Y kk80nByinD4vaIIHti9nOvLQJAro1p997YnVeY0wQ2x14Qw1rqeCOeKqB8PxmHvSK6b+nXLg Dv7HuFLovIeQd/IimGLXBDW4Bkn60HApJ5KcX+GwHp5XqPRKPmtjfMsETZn1ESjyc3sAEQEA AcLBZQQYAQIADwUCWuWH9QIbDAUJCWYBgAAKCRDZSPIPfXufaBRaEACMS5Q1BY/O5o+Vn8lD uMUczEVk/8j07gi1EV2ffutwZ5eYrKvXkuoMPEBb7SWqPUKqpTbw1pNjUf5002c2xm2r/OSZ oQMRWDztht+EMhjy0qkixMV+TvS6DcFPb8sd+KOoIBD08EBVUxpeNhAFxaRjGEDboJUwtDAd EDUJts5HnXvBqEcnkOfkwDSUWf9epa1mbyO1sO5NnMtxQY6paB2UGQPNE5/J3eo4f5s4wrxR AaM6OCCOtJxs4u0svmOCwd0D8LQ6higBq+EFesc57ZpG3pkNokrROFWRpx6OpQJUnYi5lWm8 +4xF99QfI9mHIz+jrnPcsfAiKdXb8QkeaDkR7bIU269wwKupfN6bHsKFtOnx7AhMLUddzTHA hTe8cov/tnn5xPvSZhpfknOBx+mffNQBsCETuCxPMqtDN5xFuwBxw4ZKZpKYFk/FUl6As1z4 LY2tNXb/JI58fGiLreunuvxsEkb97hmly1e19IPOTJzawB/aKRQNpIkoE11UBhKyc+kwIfVo ZCTlp+3hpBFqxEjRReSQUKKb9hA4yP3j90Fb353JbNKf9+Y3UtFPJb67koDOGtbJsk19bzPE zO0j/ek+eXxTIf5NxURVuzY6yvg57ZzW7T/tApT/LLfMEmuYz/LiijgON0uTOSp8KflwAt8m eNtEia+FigGVqn+PSQ== Subject: [PATCH 2/3] Unbound: Use caps for IDs Message-ID: <c9d3419f-5ca9-bcfa-9e01-7047025af279@link38.eu> Date: Sun, 19 Aug 2018 20:11:35 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; dkim=pass header.d=link38.eu; dmarc=pass (policy=none) header.from=link38.eu; spf=pass smtp.mailfrom=peter.mueller@link38.eu X-Spamd-Result: default: False [-9.54 / 11.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[link38.eu]; BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a03:4000:6:432c:1f9e:48:ac3:199]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[link38.eu:+]; RCVD_IN_DNSWL_MED(-2.00)[9.9.1.0.3.c.a.0.8.4.0.0.e.9.f.1.c.2.3.4.6.0.0.0.0.0.0.4.3.0.a.2.list.dnswl.org : 127.0.6.2]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-3.78)[ip: (-9.90), ipnet: 2a03:4000::/32(-4.95), asn: 197540(-3.96), country: DE(-0.09)]; ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-9.54 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
[1/3] Unbound: Enable DNS cache poisoning mitigation
|
|
Commit Message
Peter Müller
Aug. 20, 2018, 4:11 a.m. UTC
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
random bits into upstream queries. Upstream documentation claims
it to be an experimental implementation, it did not cause any trouble
on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
further details.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
config/unbound/unbound.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
This was deliberately not enabled because the documentation contains a warning about various incompatibilities with various other DNS servers. Is there some sort of study saying that this can be safely enabled? -Michael On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote: > Attempt to detect DNS spoofing attacks by inserting 0x20-encoded > random bits into upstream queries. Upstream documentation claims > it to be an experimental implementation, it did not cause any trouble > on productive systems here. > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for > further details. > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > --- > config/unbound/unbound.conf | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf > index fa2ca3fd4..8b5d34ee3 100644 > --- a/config/unbound/unbound.conf > +++ b/config/unbound/unbound.conf > @@ -59,7 +59,7 @@ server: > harden-below-nxdomain: yes > harden-referral-path: yes > harden-algo-downgrade: no > - use-caps-for-id: no > + use-caps-for-id: yes > > # Harden against DNS cache poisoning > unwanted-reply-threshold: 5000000
Hello, > This was deliberately not enabled because the documentation contains a > warning about various incompatibilities with various other DNS servers. Yes, there are a lot of broken DNS servers out there... > > Is there some sort of study saying that this can be safely enabled? I know people operating DNS resolvers for > 30k customers with this setting enabled. They never experienced any issue with this so far. This is enabled on my systems too. Currently, I am not aware of a public study. Best regards, Peter Müller > > -Michael > > On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote: >> Attempt to detect DNS spoofing attacks by inserting 0x20-encoded >> random bits into upstream queries. Upstream documentation claims >> it to be an experimental implementation, it did not cause any trouble >> on productive systems here. >> >> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for >> further details. >> >> Signed-off-by: Peter Müller <peter.mueller@link38.eu> >> --- >> config/unbound/unbound.conf | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf >> index fa2ca3fd4..8b5d34ee3 100644 >> --- a/config/unbound/unbound.conf >> +++ b/config/unbound/unbound.conf >> @@ -59,7 +59,7 @@ server: >> harden-below-nxdomain: yes >> harden-referral-path: yes >> harden-algo-downgrade: no >> - use-caps-for-id: no >> + use-caps-for-id: yes >> >> # Harden against DNS cache poisoning >> unwanted-reply-threshold: 5000000 >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Okay, let's give it a try then. On Thu, 2018-08-23 at 21:15 +0200, Peter Müller wrote: > Hello, > > > This was deliberately not enabled because the documentation contains a > > warning about various incompatibilities with various other DNS servers. > > Yes, there are a lot of broken DNS servers out there... > > > > Is there some sort of study saying that this can be safely enabled? > > I know people operating DNS resolvers for > 30k customers with this setting > enabled. They never experienced any issue with this so far. This is enabled > on my systems too. > > Currently, I am not aware of a public study. > > Best regards, > Peter Müller > > > > -Michael > > > > On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote: > > > Attempt to detect DNS spoofing attacks by inserting 0x20-encoded > > > random bits into upstream queries. Upstream documentation claims > > > it to be an experimental implementation, it did not cause any trouble > > > on productive systems here. > > > > > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for > > > further details. > > > > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > > > --- > > > config/unbound/unbound.conf | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf > > > index fa2ca3fd4..8b5d34ee3 100644 > > > --- a/config/unbound/unbound.conf > > > +++ b/config/unbound/unbound.conf > > > @@ -59,7 +59,7 @@ server: > > > harden-below-nxdomain: yes > > > harden-referral-path: yes > > > harden-algo-downgrade: no > > > - use-caps-for-id: no > > > + use-caps-for-id: yes > > > > > > # Harden against DNS cache poisoning > > > unwanted-reply-threshold: 5000000 > > -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlt/8UgACgkQgHnw/2+Q CQd1JBAAgbHWIFzbXOOcaiQHgzyi3gVeZ4tnV8sMx3Fm563dBU0f24BteOm6lYDl nu9bqYIGsmIPBpc1Hweqjatc5bkU9NUH3YNCI5LSbu4a66r1wbHpFjpCZTwstufl THO6BLsm2karfXezpxWi9U+Ug3E2KWMvBnnpdTWy4QfiOQXQttqVoeMOVKLwpaM0 5ExsdjNl7caneflXA3C2Igo1Om7H2+bWQ82TyCD8kjb/SBxuTVfFzACPmWVjUwt7 wmhZiBUpR5vDWkikv4j7AHmi2aT7SKkIGcQiOQvn+sMa/tAqys9B3H5kxXuQYBWs DdqnIKVAOqk6EhxcDae6zthM+iKy5k5RCjxj6M4qUJXb14/b7LBecxZsiyI2rY1/ 8LiUzlq5WnpH8Qkf4f8uV42JGMi4JoY+Tz3css3BWnOB/jN7muIXqTP2DaKv7/rE weseImTTWftdIPtGlkg0ALMVuErHx0I5hmADfiYbjhJjSD8M9h0Ya7Mxlp5jXcvE gCq2mrXJxltvJnoQm7GYoK+ivQp9mW/bF+vc0hF7DhtIdFP7lTh0nYQVDgkaMU4k sAGGk+kovSqQIKuMcZYAjgw759aKVhEfJXNPMqUs7YcrN8lIq19a31vTToJLcEfW bsopTQJhG9oAb+dWnjDMtICCxlnferRKTVvkbxoUIhe+Y2hYTZw= =YbLO -----END PGP SIGNATURE-----
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index fa2ca3fd4..8b5d34ee3 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -59,7 +59,7 @@ server: harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: no - use-caps-for-id: no + use-caps-for-id: yes # Harden against DNS cache poisoning unwanted-reply-threshold: 5000000