By default, Unbound neither keeps track of the number of unwanted
replies nor initiates countermeasures if they become too large (DNS
cache poisoning).
This sets the maximum number of tolerated unwanted replies to
1M, causing the cache to be flushed afterwards. (Upstream documentation
recommends 10M as a threshold, but this turned out to be ineffective
against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
details. This version of the patch uses 1M as threshold instead of
5M and supersedes the first and second version.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
harden-algo-downgrade: no
use-caps-for-id: no
+ # Harden against DNS cache poisoning
+ unwanted-reply-threshold: 1000000
+
# Listen on all interfaces
interface-automatic: yes
interface: 0.0.0.0
projects / people / ms / ipfire-2.x.git / commitdiff
