Bug #4402
closedUnbound: enable harden-glue by default and/or apply patch
0%
Description
DNS poisoning seems to be possible under 2.2 according to https://forum.pfsense.org/index.php?topic=87491.0.
Fix: enable "harden-glue: yes" in unbound.conf or apply the following patch from Unbound-Dev-Team member Wouter
(please see https://forum.pfsense.org/index.php?topic=87491.msg488694#msg488694 for details)
From today's http://unbound.nlnetlabs.nl/svn/trunk/doc/Changelog:
10 February 2015: Wouter - Fix scrubber with harden-glue turned off to reject NS (and other not-address) records.
Patch:
Index: iterator/iter_scrub.c =================================================================== --- iterator/iter_scrub.c (revision 3329) +++ iterator/iter_scrub.c (working copy) @@ -680,7 +680,9 @@ * (we dont want its glue that was approved * during the normalize action) */ del_addi = 1; - } else if(!env->cfg->harden_glue) { + } else if(!env->cfg->harden_glue && ( + rrset->type == LDNS_RR_TYPE_A || + rrset->type == LDNS_RR_TYPE_AAAA)) { /* store in cache! Since it is relevant * (from normalize) it will be picked up * from the cache to be used later */
Best regards.
Updated by Chris Buechler almost 10 years ago
- Status changed from New to Confirmed
- Assignee set to Chris Buechler
- Priority changed from Normal to High
- Target version set to 2.2.1
Part of this was fixed in the default config yesterday (harden-glue is now enabled by default). We'll also add config upgrade code to enable this for anyone who doesn't already have it enabled upon upgrade to 2.2.1.
Updated by Olivier Müller almost 10 years ago
Thanks for the fixes !
On this topic, Unbound 1.5.2rc1 has just been released, and final may then be ready before pfsense 2.2.1.
http://www.unbound.net/pipermail/unbound-users/2015-February/003774.html
Interesting part:
This release fixes a DNSSEC validation issue when an upstream server
with different trust anchors introduces unsigned records in messages.
Harden-glue when turned off allows potentially poisonous records in
the cache in the hopes of that enabling DNS resolution for 'impossible
to resolve' domains, it is fixed to have 'less cache poisoning',
quotes added because it is by definition not secure to turn off
harden-glue. New features are that "inform" can be used to see which
IPs lookup a domain, and unbound-control can use named unix pipes.
Updated by Renato Botelho almost 10 years ago
Olivier Müller wrote:
Thanks for the fixes !
On this topic, Unbound 1.5.2rc1 has just been released, and final may then be ready before pfsense 2.2.1.
http://www.unbound.net/pipermail/unbound-users/2015-February/003774.htmlInteresting part:
This release fixes a DNSSEC validation issue when an upstream server
with different trust anchors introduces unsigned records in messages.
Harden-glue when turned off allows potentially poisonous records in
the cache in the hopes of that enabling DNS resolution for 'impossible
to resolve' domains, it is fixed to have 'less cache poisoning',
quotes added because it is by definition not secure to turn off
harden-glue. New features are that "inform" can be used to see which
IPs lookup a domain, and unbound-control can use named unix pipes.
unbound was updated to 1.5.2.
Updated by Chris Buechler almost 10 years ago
- Status changed from Confirmed to Resolved
2.2.1 has Unbound 1.5.2, has hard coded harden-glue yes, and removed that option from the GUI entirely to discourage people from messing with it. I don't see any circumstance where that would be useful or desirable.