EDNS client subnet hardening

Andreas Schwarz andreas at black-code.de
Thu Sep 10 13:04:49 UTC 2020


Hi,

I recently noticed, that I can send an arbitrary EDNS client subnet to my unbound instance, which unbound then uses instead of my DNS request's IP header address.
>From my understanding of the code, around here https://github.com/NLnetLabs/unbound/blob/master/edns-subnet/subnetmod.c#L719 unbound only uses the DNS request's IP address ('query_reply.addr'), if no client subnet data is in the request.

I would have expected being able to harden unbound against this kind of spoofing, but there seems to be no config option.
Is this hardening something, that isn't expected to be done in unbound?

See also: https://github.com/NLnetLabs/unbound/issues/298

Thoughts appreciated.

Cheers
Andreas



More information about the Unbound-users mailing list