serve-expired does not adhere to secure-by-default principle #1175
Comments
|
Hi Pim,
When implementing RFC 8767 we purposely left the Serving expired answers is not ideal because the upstream explicitly communicates the TTL of the original record. Serving expired answers is mostly for controlled environments or big installations where the expired answers are used to push the qps up. For regular resolving I would advise to turn it off and instead use |
|
Hey Yorgos, yeah this was definitely my own mistake for just using 'some' docker container and trusting that container was using a sane / secure configuration without taking a good look at it's configuration myself. So the only one to blame for that is me 😿 One other thought I had about |
On the Docker topic, I hear good stories about the one maintained by @madnuttah. |
An (semi) official recommendation would be welcome too, will look at that docker image. Thanks! I'm currently using https://hub.docker.com/r/klutchell/unbound (see also mentioned issue above) because his build/config seemed ok as well and that image has 10M+ pulls on docker hub as opposed to 50K+ for the image by @madnuttah. I remember looking at https://hub.docker.com/r/mvance/unbound too, but iirc correctly then klutchell's image is very small / distribution less while mvance's isn't. |
There are such numbers! Look for But I think you are holding it wrong :) |
|
If you're going into the config to set serve-expired to yes - it doesn't take much to change the serve-expired-ttl at the same time whilst in the config? I don't see this as a "real" issue, as such. |
|
@AlexanderBand FWIW, madnuttah also sets @gthess Thanks for the tip about @Dynamic5912 That's not the point, you make an assumption that people already know that they have to configure |
|
If people are configuring Unbound they should have the knowledge and know-how to understand what they're configuring and enabling. |
Thank you for your heads-up! I'll fix that asap. As you've mentioned, the default config doesn't serve expired entries. |
Signed-off-by: ϺΛDИVTTΛH <[email protected]>
Wouldn't having the cache TTL as 0 and using Prefetch negate any issues though? Prefetch would (should) update those records in the cache as they are technically expired? |
I am not sure I follow but prefetch and serve-expire trigger the same fetching logic. Prefetch does it when a currently non-expired reply is in the last 10% of the original TTL, serve-expired does it when the record is expired. Both try to update the cache. So if you only have prefetch enabled, then an expired record will not be used and instead resolved normally. |
Describe the bug
If you just set
serve-expired: yesin your config, then unbound could serve stale dns entries for ever as the default value forserve-expired-ttlis 0. This is not a secure configuration.To reproduce
n.a.
Expected behavior
unbound should also follow suggestions from RFC-8767 and not just recommendation and therefore set a non-zero default value for
serve-expired-ttl. The decision to serve expired data forever should be an explicit decision by the user as they put themselves at risk by doing so. See below for why.System:
n.a.
Additional information
1. Security issue
As background and to explain why this should probably be considered a security issue, I was bit by this last week when I was performing an online payment when my browser stopped the request as I was about to be redirected to an unsecure page/domain.
After investigating I noticed that the SSL certificate of the page I was on did not belong to the PSP that was handling the payment but some random other third party. After contacting the PSP they mentioned that they had reason to believe this was caused by DNS caching. Although I didn't believe them at first, after diving into the unbound config more I'm quite sure they were right (sry PSP).
Looking at the unbound logs, I had last visited that PSP checkout page something like a month ago and I guess that when I first requested the PSP's checkout page last week that unbound served the cached DNS response from last month. But it seems that in between last month and last week, the PSP scaled down/changed their capacity causing the resources they used last month to not be used anymore. And their cloud provider had allocated those resources to another third party.
TLDR: this is a security issue as due to this default unbound configuration I almost submitted personal / payment information to some random third party as unbound served me a month old DNS record. Luckily my browser stopped me from doing that.
2. RFC
Also, I wonder whether unbound does really adhere to RFC-8767. Unbound says about enabling
serve-expiredthat it attempts to serve old responses ... without waiting for the actual resolution to finish. But section 7 of the RFC says that a good-faith effort has been recently made to refresh the stale data before it is delivered to any client.I might misunderstand the RFC here, but it seems the RFC says an attempt to refresh has to be made while unbound immediately sends stale data without trying to refresh? I guess that unbound could better adhere to the RFC by also setting a non-zero value for
serve-expired-client-timeoutby default.3. Mitigation
Instead or in addition to setting
serve-expired-ttl, maybe a setting likeserve-expired-ttl-factorcould be added. This might be outside the scope of RFC-8767, but the party who knows best how long DNS data should be cached is the owner of the DNS recordset who already sets a TTL themselves. And setting a fixed duration forserve-expired-ttlseems wrong as it doesn't take the intentions of the original DNS owner into account. A setting likeserve-expired-ttl-factor: 10could be added to work next toserve-expired-ttl, whereserve-expired-ttlis the maximum value andserve-expired-ttl-factormeans that unbound only serves stale cache data for the configured factor value times the TTL that the owner of the DNS record configured.F.e. setting a config like:
could mean that when requesting a DNS record with a configured TTL of 60 seconds would then only be cached for
10 * 60 = 600seconds while a DNS record with a TTL of10.000would be cached for86400seconds (and thus not10 * 10.000 = 100.000)The text was updated successfully, but these errors were encountered: