Date: Thu, 09 May 2024 12:48:59 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 278870] dns/unbound: Uodate to 1.20.0 Message-ID: <bug-278870-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D278870 Bug ID: 278870 Summary: dns/unbound: Uodate to 1.20.0 Product: Ports & Packages Version: Latest Hardware: Any URL: https://nlnetlabs.nl/news/2024/May/08/unbound-1.20.0-r eleased/ OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: jaap@NLnetLabs.nl Attachment #250545 maintainer-approval+ Flags: Created attachment 250545 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D250545&action= =3Dedit Patch to update This release has a fix for the DNSBomb issue CVE-2024-33655. This has a low severity for Unbound, since it makes Unbound complicit in targeting others,= but does not affect Unbound so much. To mitigate the issue new configuration options are introduced. The options discard-timeout: 1900, wait-limit: 1000 and wait-limit-cookie: 10000 are enabled by default. They limit the number of outstanding queries that a que= rier can have. This limits the reply pulse, and make Unbound less favorable for = the issue. With the config wait-limit-netblock and wait-limit-cookie-netblock t= he parameters can be fine tuned for specific destinations. More information on= the attack and Unbound's mitigations are presented further down. Other fixes in this release are that Unbound no longer follows symlinks when truncating the pidfile. Unbound also does not chown the pidfile, this is for safety reasons. There are also a number of fixes for RPZ, in handling CNAME= s. There is a memory leak fix for the edns client subnet cache. For DNSSEC validation a case is fixed when the query is of type DNAME. The unbound-anc= hor program is fixed to first write to a temporary file, before replacing the original. This handles disk full situations, and because of it unbound-anch= or needs permission to create that file, in the same directory as the original file. There is also a fix for IP_DONTFRAG, to disable fragmentation instead= of the opposite. The option cache-min-negative-ttl can be used to set the minimum TTL for negative responses in the cache. It complements existing options to set the maximum ttl for negative responses and to set the minimum and maximum ttl b= ut not specifically for negative responses. The option cachedb-check-when-serve-expired option makes Unbound use cached= b to check for expired responses, when serve-expired is enabled, and cachedb is used. It is enabled by default. The -q option for unbound-checkconf can be added to silence it when there a= re no errors. Summary of the DNSBomb vulnerability CVE-2024-33655. The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets. Unbound itself is not vulnerable for DoS, rather it can be used to take par= t in a pulsing DoS amplification attack. Unbound 1.20.0 includes fixes so the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers. Affected products Unbound up to and including 1.19.3. Description of CVE-2024-33655 The DNSBomb attack works by sending low-rate spoofed queries for a malicious zone to Unbound. By controlling the delay of the malicious authoritative answers, Unbound slowly accumulates pending answers for the spoofed address= es. When the authoritative answers become available to Unbound at the same time, Unbound starts serving all the accumulated queries. This results into large-sized, concentrated response bursts to the spoofed addresses. >From version 1.20.0 on, Unbound introduces a couple of configuration option= s to help mitigate the impact. Their complete description can be found in the included manpages but they are also briefly listed here together with their default values for convenience: * discard-timeout: 1900 After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to= not accumulate a huge number of "old" replies. Legitimate clients retry on timeouts. * wait-limit: 1000 wait-limit-cookie: 10000 Limits the amount of client que= ries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Clients with a valid = EDNS Cookie can have a different limit, higher by default. wait-limit: 0 disables all wait limits. * wait-limit-netblock wait-limit-cookie-netblock These do not have a default value but they can fine grain configuration for specific netblocks. With or without EDNS Cookies. The options above are trying to shrink the DNSBomb window so that the impac= t of the DoS from Unbound is significantly lower than it used to be and making t= he attack, and Unbound's participation, less tempting for attackers. Acknowledgements We would like to thank Xiang Li from the Network and Information Security L= ab of Tsinghua University for discovering and disclosing the attack. For a full list of changes, binary and source packages, see the https://nlnetlabs.nl/projects/unbound/download/#unbound-1-20-0. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-278870-7788>