mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
Unbound: Enable DNS cache poisoning mitigation
By default, Unbound neither keeps track of the number of unwanted replies nor initiates countermeasures if they become too large (DNS cache poisoning). This sets the maximum number of tolerated unwanted replies to 1M, causing the cache to be flushed afterwards. (Upstream documentation recommends 10M as a threshold, but this turned out to be ineffective against attacks in the wild.) See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for details. This version of the patch uses 1M as threshold instead of 5M and supersedes the first and second version. Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Peter Müller
committed by
Michael Tremer
Michael Tremer
parent
4ca0cb3354
commit
ffba3c98ba
@@ -61,6 +61,9 @@ server:
|
||||
harden-algo-downgrade: no
|
||||
use-caps-for-id: no
|
||||
|
||||
# Harden against DNS cache poisoning
|
||||
unwanted-reply-threshold: 1000000
|
||||
|
||||
# Listen on all interfaces
|
||||
interface-automatic: yes
|
||||
interface: 0.0.0.0
|
||||
|
||||
Reference in New Issue
Block a user