EDNS client subnet hardening
Andreas Schwarz
andreas at black-code.de
Thu Sep 10 13:04:49 UTC 2020
Hi,
I recently noticed, that I can send an arbitrary EDNS client subnet to my unbound instance, which unbound then uses instead of my DNS request's IP header address.
>From my understanding of the code, around here https://github.com/NLnetLabs/unbound/blob/master/edns-subnet/subnetmod.c#L719 unbound only uses the DNS request's IP address ('query_reply.addr'), if no client subnet data is in the request.
I would have expected being able to harden unbound against this kind of spoofing, but there seems to be no config option.
Is this hardening something, that isn't expected to be done in unbound?
See also: https://github.com/NLnetLabs/unbound/issues/298
Thoughts appreciated.
Cheers
Andreas
More information about the Unbound-users
mailing list