benno at NLnetLabs.nl
Wed Aug 25 10:02:24 UTC 2021
On 17/08/2021 22:09, A. Schulze via Unbound-users wrote:
> there is rumor about some weakness in dns. Details in this thread: https://lists.dns-oarc.net/pipermail/dns-operations/2021-August/021260.html
> A test site is available at https://xdi-attack.net/test.html
> The test show unbound-1.13.2 as green (not vulnerable) but there are some hints regarding special character filtering.
> Maybe the unbound developer at nlnetlabs could rate these hints?
We did read the USENIX paper and the email thread on dns-operations.
Currently, Unbound is binary clean in hostnames/domainnames, but we
could implement options for additional filtering on hostnames. (We do
already have options for scrubbing replies in Unbound.)
However, the discussion on the mailing list also makes it clear that
there are different ideas about *where* the bad content filtering should
take place, in the infrastructure (ie. the name servers) or at the
endpoint (stub resolvers and libraries). We'd love to hear more
community consensus to make this architectural decision.
Benno J. Overeinder
More information about the Unbound-users