From: Peter Müller <peter.mueller@link38.eu>
Date: Mon, 10 Sep 2018 14:21:25 +0000 (+0200)
Subject: Unbound: Use caps for IDs
X-Git-Tag: v2.21-core124~32
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e4128faacab7a25e5845faffefa2b2b2128eff7;p=ipfire-2.x.git

Unbound: Use caps for IDs

Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
random bits into upstream queries. Upstream documentation claims
it to be an experimental implementation, it did not cause any trouble
on productive systems here.

See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
further details.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index ce9ddcd62f..6eaf70a8ea 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -59,7 +59,7 @@ server:
 	harden-below-nxdomain: yes
 	harden-referral-path: yes
 	harden-algo-downgrade: no
-	use-caps-for-id: no
+	use-caps-for-id: yes
 
 	# Harden against DNS cache poisoning
 	unwanted-reply-threshold: 1000000