Maintained by: NLnet Labs

[Unbound-users] [Q]unwanted-reply-threshold

W.C.A. Wijngaards
Tue Mar 17 09:13:19 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Kaito,

It counts replies that come in open ports, purported from authority
servers, that are 'not wanted' (wrong ID, wrong source address).

Perhaps port randomisation is foiling this?  It only counts when the
metasploit hits an open port; if you do one query, only one port is open.

You can get unbound to open more ports by setting outgoing-range: 950
and by replaying a trace with a lot of different queries to resolve.

Do defeat port randomisation in unbound (Warning to other people: do not
put this in your production resolver; its bad):
	# note these lines take effect in order first to last.
	outgoing-port-avoid: "0-65535"
	outgoing-port-permit: 12345
makes it use just one port. (if you have multiple threads, give it a
couple more ports; it needs at least one per thread).

Then, metasploit should have no trouble hitting the unwanted reply
counter.  And also poisoning the cache (unless you are using DNSSEC).

Best regards,
   Wouter

kaito wrote:
> Hello, everyone,
> 
> This is kaito. Now, I test unbound 1.2.1 on Ubuntu 8.04 Server.
> There is a question about "unwanted-reply-threshold" parameter.
> What replies are count by this parameter?
> 
> Using metasploit framework 3.3-dev to do kaminsky attack,
> unbound did not count unwanted-replies...
> 
> Sincerely,
> kaito
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkm/W58ACgkQkDLqNwOhpPgBDgCcD+3qK01VK5cAcsmAXO15RxI0
/aUAoLIsb9/n/6U5hrPtv2TmceChhr0r
=OI9w
-----END PGP SIGNATURE-----