pfSense Gold Subscription

Author Topic: unbound cache poisoning question  (Read 2873 times)

0 Members and 1 Guest are viewing this topic.

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
unbound cache poisoning question
« on: January 28, 2015, 06:53:14 pm »
Since unbound is a resolver and not just a forwarder, can its cache be poisoned?

If so if I have two isolated network segments with pfsense between them, could one end poison the cache such that things resolve incorrectly on the other?

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: unbound cache poisoning question
« Reply #1 on: January 28, 2015, 07:16:26 pm »
Since unbound is a resolver and not just a forwarder, can its cache be poisoned?

Yes. The means of doing so will vary depending on whether it's doing its own recursion or not, but for things that aren't DNSSEC-enabled (assuming you have DNSSEC enabled) it's still possible to cache poison.

If so if I have two isolated network segments with pfsense between them, could one end poison the cache such that things resolve incorrectly on the other?

In this circumstance, assuming there's a separate third interface WAN where all the DNS queries are resolved (which would be the case whether you're in forwarding mode or having unbound do recursion), no, neither of those networks can cache poison.

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: unbound cache poisoning question
« Reply #2 on: January 28, 2015, 08:10:27 pm »
Since unbound is a resolver and not just a forwarder, can its cache be poisoned?

Yes. The means of doing so will vary depending on whether it's doing its own recursion or not, but for things that aren't DNSSEC-enabled (assuming you have DNSSEC enabled) it's still possible to cache poison.

If so if I have two isolated network segments with pfsense between them, could one end poison the cache such that things resolve incorrectly on the other?

In this circumstance, assuming there's a separate third interface WAN where all the DNS queries are resolved (which would be the case whether you're in forwarding mode or having unbound do recursion), no, neither of those networks can cache poison.

So in my scenario, I had DNSSEC and Forwarding mode off.

I have two networks, which in two different interfaces off pfsense and there's no communication between them.
Any issues with DNS are upstream, no chance something in Network A affected unbound such that it gave incorrect information to Network B?

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: unbound cache poisoning question
« Reply #3 on: January 28, 2015, 08:18:16 pm »
Any issues with DNS are upstream, no chance something in Network A affected unbound such that it gave incorrect information to Network B?

Correct. What it replies with when forwarding is off is the replies it obtains from the name servers of the domain in question. That should strictly be via WAN in that case (assuming you're not also using either of those LANs as an Internet connection), so neither LAN can affect that traffic.

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: unbound cache poisoning question
« Reply #4 on: January 28, 2015, 08:22:38 pm »
Any issues with DNS are upstream, no chance something in Network A affected unbound such that it gave incorrect information to Network B?

Correct. What it replies with when forwarding is off is the replies it obtains from the name servers of the domain in question. That should strictly be via WAN in that case (assuming you're not also using either of those LANs as an Internet connection), so neither LAN can affect that traffic.

Nope, only the WAN provides the internet connection, as well as WAN is the only thing selected for "Outgoing Network Interfaces".

Which is even more worrysome as I've now had this issue with Google DNS and Level3 DNS. 
And the only device between me and the internet is a modem (not even a wireless gateway, just a docsis3 modem w/ voice)

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4927
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: unbound cache poisoning question
« Reply #5 on: January 28, 2015, 08:24:46 pm »
I'm imagining by now you have enabled DNSSEC, removed all other DNS servers, purge DNS Cache everywhere, rebooted pfsense and checked to see if problem remains?

And the result is?

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: unbound cache poisoning question
« Reply #6 on: January 28, 2015, 08:30:42 pm »
I'm imagining by now you have enabled DNSSEC, removed all other DNS servers, purge DNS Cache everywhere, rebooted pfsense and checked to see if problem remains?

And the result is?

I've enabled DNSSEC, removed all but OpenDNS (so pfsense can still resolve and provide DNS), purged DNS Cache, and rebooted.

The problem isn't actively happening 100% of the time, so its very hard to test.  I won't know if the problem remains until it starts happening again (if it happens again)

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4927
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: unbound cache poisoning question
« Reply #7 on: January 28, 2015, 08:32:27 pm »
Why run OpenDNS?  To test fate?
Do you believe they know something the root servers do not?

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: unbound cache poisoning question
« Reply #8 on: January 28, 2015, 08:46:52 pm »
Why run OpenDNS?  To test fate?
Do you believe they know something the root servers do not?

Ok, I've removed them all. 
Let's see what happens now.
FYI "   Do not use the DNS Forwarder as a DNS server for the firewall " was NEVER on.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4927
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: unbound cache poisoning question
« Reply #9 on: January 28, 2015, 08:47:19 pm »
ONLY unbound, not in forwarder mode and with DNSSEC and nothing else.

Is there a reason you wish to have more than that running?

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: unbound cache poisoning question
« Reply #10 on: January 28, 2015, 08:55:47 pm »
ONLY unbound, not in forwarder mode and with DNSSEC and nothing else.

Is there a reason you wish to have more than that running?

No, the DNS servers in general were left over from when I was using dnsmasq.

My settings now are DNSSEC on, Forwarder off, specific interfaces to respond on, WAN only in outgoing, and one custom host for an internal site, and DHCP and Static Registration on.

If it happens again, I know 100% it's upstream, though from what I've been told, it has to be.
But if it's upstream, what's the next step :\

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4927
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: unbound cache poisoning question
« Reply #11 on: January 28, 2015, 09:00:48 pm »

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: unbound cache poisoning question
« Reply #12 on: January 28, 2015, 09:05:50 pm »
http://en.wikipedia.org/wiki/Carrier_pigeon

Hmm, I tried that before.  The transmission size was excellent, but the latency and packet loss left a lot to be desired.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4927
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: unbound cache poisoning question
« Reply #13 on: January 28, 2015, 09:11:06 pm »
Ultimately you will probably find that networks can only be trusted if they are limited to a LAN and there is no access to the internet.

I'm sure whatever measures I take to make things more secure are at best an annoyance to any well funded highly motivated agency, group of criminals or bored teen-age kid.

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: unbound cache poisoning question
« Reply #14 on: January 28, 2015, 09:29:11 pm »
Ultimately you will probably find that networks can only be trusted if they are limited to a LAN and there is no access to the internet.

I'm sure whatever measures I take to make things more secure are at best an annoyance to any well funded highly motivated agency, group of criminals or bored teen-age kid.

For now I put 2 floating block rules against that whole subnet that the DNS gets redirected to.  Hopefully even if the DNS gets messed with somehow still, it'll prevent people from trying to load those sites.