[Unbound-users] [Q]unwanted-reply-threshold
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Tue Mar 17 08:13:19 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Kaito,
It counts replies that come in open ports, purported from authority
servers, that are 'not wanted' (wrong ID, wrong source address).
Perhaps port randomisation is foiling this? It only counts when the
metasploit hits an open port; if you do one query, only one port is open.
You can get unbound to open more ports by setting outgoing-range: 950
and by replaying a trace with a lot of different queries to resolve.
Do defeat port randomisation in unbound (Warning to other people: do not
put this in your production resolver; its bad):
# note these lines take effect in order first to last.
outgoing-port-avoid: "0-65535"
outgoing-port-permit: 12345
makes it use just one port. (if you have multiple threads, give it a
couple more ports; it needs at least one per thread).
Then, metasploit should have no trouble hitting the unwanted reply
counter. And also poisoning the cache (unless you are using DNSSEC).
Best regards,
Wouter
kaito wrote:
> Hello, everyone,
>
> This is kaito. Now, I test unbound 1.2.1 on Ubuntu 8.04 Server.
> There is a question about "unwanted-reply-threshold" parameter.
> What replies are count by this parameter?
>
> Using metasploit framework 3.3-dev to do kaminsky attack,
> unbound did not count unwanted-replies...
>
> Sincerely,
> kaito
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkm/W58ACgkQkDLqNwOhpPgBDgCcD+3qK01VK5cAcsmAXO15RxI0
/aUAoLIsb9/n/6U5hrPtv2TmceChhr0r
=OI9w
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list