From owner-freebsd-questions@freebsd.org Sat Oct 14 21:43:30 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D11FBE2D7C1 for ; Sat, 14 Oct 2017 21:43:30 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wm0-x242.google.com (mail-wm0-x242.google.com [IPv6:2a00:1450:400c:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6FEE28150A for ; Sat, 14 Oct 2017 21:43:30 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by mail-wm0-x242.google.com with SMTP id u138so26957996wmu.5 for ; Sat, 14 Oct 2017 14:43:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=CZd/J1bWpC51st/Mdzv6tf9makvdkgUywLq5108K3Dw=; b=I+kchpi+S7hEg/GiL3uKOhOSoGqv5XU3Ly7q3wThEj/V28cBpfIsIbxD6/2MrsbHDM WdYtUFEEavuTgTRPpwr2GqLklMESI14EhzhIwVhQoCYNbpPuuifQufhxrSN9aT4qTWaX uQg6UiMpxknuaKAg8DsxiY64pFGSQW34gykZBfeq0S6dmWKAESpnoHhNj2WSTeMklput npEjlBLUHRHy41Kh4bIYMgTA4/GZPIS9MK+vIxV6VwPbJ70wGH5uaYzQJ2EBHuaepE33 niLiiKqLe7qv+Bbfj98e8KD6RiXMu1xx2zGwocM5CxNHDyeGdCRUUJaEvix9lIjnSsWB Ttcw== X-Gm-Message-State: AMCzsaXITS17vQi/383+Q5hPf++WiLkDgFtHB59LfATzgiIC9dTZMUz6 6cxH/HAKUJziD6x78avkAjieew== X-Google-Smtp-Source: ABhQp+SSDvTl9BBeguYbwQTcVHjyFSsc124rpEyFaO8Lz8cUqjBe8268zkjEMK2tzgc5gxSguHoj+A== X-Received: by 10.28.175.197 with SMTP id y188mr3758792wme.20.1508017408501; Sat, 14 Oct 2017 14:43:28 -0700 (PDT) Received: from gumby.homeunix.com ([81.17.24.158]) by smtp.gmail.com with ESMTPSA id e77sm6878102wmi.16.2017.10.14.14.43.26 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 14 Oct 2017 14:43:27 -0700 (PDT) Date: Sat, 14 Oct 2017 22:43:23 +0100 From: RW To: freebsd-questions@freebsd.org Subject: Re: Unbound(8) caching resolver no workie on fresh install :-( Message-ID: <20171014224323.1ed35da3@gumby.homeunix.com> In-Reply-To: References: <4172.1507827505@segfault.tristatelogic.com> X-Mailer: Claws Mail 3.15.1 (GTK+ 2.24.31; amd64-portbld-freebsd11.1) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Oct 2017 21:43:30 -0000 On Thu, 12 Oct 2017 17:31:32 -0400 Baho Utot wrote: > On 10/12/2017 12:58 PM, Ronald F. Guilmette wrote: > > During this (fresh) install, I -never- explicitly selected any > > option that would obcviously hav the effect of telling unbound to > > forward/route all of its DNS queries through any other specific > > name servers). So why on earth would it be doing so? > > Because the base system uses unbound as the resolver. That doesn't explain why it forwards by default. Is ISP cache poisoning entirely a thing of the past? IIRC there are also attacks where a DSL router is hacked and reconfigured to give bogus DNS servers via DHCP. There's also the issue that mail servers should avoid using shared caches because of per IP address limits on blocklists. Linux resolver packages that set-up forwarding without making it clear have been a problem for a while now.