Project

General

Profile

Bug #4402

Unbound: enable harden-glue by default and/or apply patch

Added by Olivier Müller over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
High
Category:
DNS Resolver
Target version:
Start date:
02/10/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.2
Affected Architecture:

Description

DNS poisoning seems to be possible under 2.2 according to https://forum.pfsense.org/index.php?topic=87491.0.

Fix: enable "harden-glue: yes" in unbound.conf or apply the following patch from Unbound-Dev-Team member Wouter
(please see https://forum.pfsense.org/index.php?topic=87491.msg488694#msg488694 for details)

From today's http://unbound.nlnetlabs.nl/svn/trunk/doc/Changelog:

 10 February 2015: Wouter
    - Fix scrubber with harden-glue turned off to reject NS (and other
      not-address) records.

Patch:

Index: iterator/iter_scrub.c
===================================================================
--- iterator/iter_scrub.c       (revision 3329)
+++ iterator/iter_scrub.c       (working copy)
@@ -680,7 +680,9 @@
                                 * (we dont want its glue that was approved
                                 * during the normalize action) */
                                del_addi = 1;
-                       } else if(!env->cfg->harden_glue) {
+                       } else if(!env->cfg->harden_glue && (
+                               rrset->type == LDNS_RR_TYPE_A ||
+                               rrset->type == LDNS_RR_TYPE_AAAA)) {
                                /* store in cache! Since it is relevant
                                 * (from normalize) it will be picked up
                                 * from the cache to be used later */

Best regards.

Associated revisions

Revision 5c7c369f (diff)
Added by Chris Buechler over 4 years ago

Remove the harden-glue option entirely and hard code it to yes. Ticket #4402

Revision 73cdd9f0 (diff)
Added by Chris Buechler over 4 years ago

Remove the harden-glue option entirely and hard code it to yes. Ticket #4402

History

#1 Updated by Chris Buechler over 4 years ago

  • Status changed from New to Confirmed
  • Assignee set to Chris Buechler
  • Priority changed from Normal to High
  • Target version set to 2.2.1

Part of this was fixed in the default config yesterday (harden-glue is now enabled by default). We'll also add config upgrade code to enable this for anyone who doesn't already have it enabled upon upgrade to 2.2.1.

#2 Updated by Olivier Müller over 4 years ago

Thanks for the fixes !

On this topic, Unbound 1.5.2rc1 has just been released, and final may then be ready before pfsense 2.2.1.
http://www.unbound.net/pipermail/unbound-users/2015-February/003774.html

Interesting part:
This release fixes a DNSSEC validation issue when an upstream server
with different trust anchors introduces unsigned records in messages.
Harden-glue when turned off allows potentially poisonous records in
the cache in the hopes of that enabling DNS resolution for 'impossible
to resolve' domains, it is fixed to have 'less cache poisoning',
quotes added because it is by definition not secure to turn off
harden-glue. New features are that "inform" can be used to see which
IPs lookup a domain, and unbound-control can use named unix pipes.

#3 Updated by Renato Botelho over 4 years ago

Olivier Müller wrote:

Thanks for the fixes !

On this topic, Unbound 1.5.2rc1 has just been released, and final may then be ready before pfsense 2.2.1.
http://www.unbound.net/pipermail/unbound-users/2015-February/003774.html

Interesting part:
This release fixes a DNSSEC validation issue when an upstream server
with different trust anchors introduces unsigned records in messages.
Harden-glue when turned off allows potentially poisonous records in
the cache in the hopes of that enabling DNS resolution for 'impossible
to resolve' domains, it is fixed to have 'less cache poisoning',
quotes added because it is by definition not secure to turn off
harden-glue. New features are that "inform" can be used to see which
IPs lookup a domain, and unbound-control can use named unix pipes.

unbound was updated to 1.5.2.

#4 Updated by Chris Buechler over 4 years ago

  • Status changed from Confirmed to Resolved

2.2.1 has Unbound 1.5.2, has hard coded harden-glue yes, and removed that option from the GUI entirely to discourage people from messing with it. I don't see any circumstance where that would be useful or desirable.

Also available in: Atom PDF