From: Peter Müller <peter.mueller@link38.eu>
Date: Mon, 10 Sep 2018 14:21:24 +0000 (+0200)
Subject: Unbound: Enable DNS cache poisoning mitigation
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ffba3c98bac2675f19f32541f5e1ebe61419e7bd;p=people%2Fms%2Fipfire-2.x.git

Unbound: Enable DNS cache poisoning mitigation

By default, Unbound neither keeps track of the number of unwanted
replies nor initiates countermeasures if they become too large (DNS
cache poisoning).

This sets the maximum number of tolerated unwanted replies to
1M, causing the cache to be flushed afterwards. (Upstream documentation
recommends 10M as a threshold, but this turned out to be ineffective
against attacks in the wild.)

See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
details. This version of the patch uses 1M as threshold instead of
5M and supersedes the first and second version.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 3f724d8f76..ce9ddcd62f 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -61,6 +61,9 @@ server:
 	harden-algo-downgrade: no
 	use-caps-for-id: no
 
+	# Harden against DNS cache poisoning
+	unwanted-reply-threshold: 1000000
+
 	# Listen on all interfaces
 	interface-automatic: yes
 	interface: 0.0.0.0