Currently, Unbound only prints statistics if it is being shutdown
(mostly because of a machine reboot). This makes detecting DNS
anomalies hard as no intermediate statistic result is being logged.
This patch changes Unbound's behaviour in order to log statistics
every 86,400 seconds (i.e. 24 hours).
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
random bits into upstream queries. Upstream documentation claims
it to be an experimental implementation, it did not cause any trouble
on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
further details.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
By default, Unbound neither keeps track of the number of unwanted
replies nor initiates countermeasures if they become too large (DNS
cache poisoning).
This sets the maximum number of tolerated unwanted replies to
1M, causing the cache to be flushed afterwards. (Upstream documentation
recommends 10M as a threshold, but this turned out to be ineffective
against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
details. This version of the patch uses 1M as threshold instead of
5M and supersedes the first and second version.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This causes trouble when you try to resolve a record like
a.b.blah.com where b.blah.com responds with NXDOMAIN. unbound
won't try to resolve a.b.blah.com because it is assumed that
everything longer than b.blah.com does not exist which is
probably not good usability.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Before the bridge tries reading any existing leases from unbound
but this makes it difficult to destinguish between what is a DHCP lease,
static host entry or anything else.
This patch will change the bridge back to just remember what has been
added to the cache already which makes it easier to keep track.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If there are any invalid hostnames in the DHCP leases
table, we just skip them and do not create and RRs for
them.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This allows us to restart unbound and all DHCP leases
will be re-imported even if the unbound-dhcp-leases-bridge is
not restarted.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
