]> git.ipfire.org Git - people/ms/ipfire-2.x.git/commitdiff
projects / people / ms / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ffba3c9)
Unbound: Use caps for IDs
authorPeter Müller <peter.mueller@link38.eu>
Mon, 10 Sep 2018 14:21:25 +0000 (16:21 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Mon, 10 Sep 2018 15:34:20 +0000 (16:34 +0100)
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
random bits into upstream queries. Upstream documentation claims
it to be an experimental implementation, it did not cause any trouble
on productive systems here.

See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
further details.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/unbound/unbound.conf patch | blob | blame | history

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index ce9ddcd62fecab8900377b745d23c5ad6add8287..6eaf70a8eaef8082e9a92a4cbf9c6b2d578d2715 100644 (file)
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -59,7 +59,7 @@ server:
        harden-below-nxdomain: yes
        harden-referral-path: yes
        harden-algo-downgrade: no
-       use-caps-for-id: no
+       use-caps-for-id: yes
 
        # Harden against DNS cache poisoning
        unwanted-reply-threshold: 1000000
Michael's tree of IPFire 2.x.