From ffba3c98bac2675f19f32541f5e1ebe61419e7bd Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Mon, 10 Sep 2018 16:21:24 +0200 Subject: [PATCH] Unbound: Enable DNS cache poisoning mitigation MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning). This sets the maximum number of tolerated unwanted replies to 1M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.) See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details. This version of the patch uses 1M as threshold instead of 5M and supersedes the first and second version. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/unbound/unbound.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3f724d8f76..ce9ddcd62f 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -61,6 +61,9 @@ server: harden-algo-downgrade: no use-caps-for-id: no + # Harden against DNS cache poisoning + unwanted-reply-threshold: 1000000 + # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0 -- 2.39.5