Netgate SG-1000 microFirewall

Author Topic: unbound cache poisoning question  (Read 3246 times)

0 Members and 1 Guest are viewing this topic.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4971
  • Karma: +199/-43
  • Debugging...
    • View Profile
Re: unbound cache poisoning question
« Reply #15 on: January 28, 2015, 09:39:10 pm »
You can also block 0.0.0.0/0 and 0::0/0

That would do it for sure...  (kidding)

Seriously though, I thing its fixed now.

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: unbound cache poisoning question
« Reply #16 on: January 28, 2015, 09:44:33 pm »
You can also block 0.0.0.0/0 and 0::0/0

That would do it for sure...  (kidding)

Seriously though, I thing its fixed now.

If it's fixed now, I still want to know what was happening to cause it....

Offline cmb

  • Hero Member
  • *****
  • Posts: 11226
  • Karma: +896/-7
    • View Profile
    • Chris Buechler
Re: unbound cache poisoning question
« Reply #17 on: January 28, 2015, 11:31:20 pm »
If it's fixed now, I still want to know what was happening to cause it....

Based on what people have reported thus far, I'm thinking there is some successful cache poisoning happening against Google and Level 3's public DNS. By the nature of how such anycasted services work, it would probably be very hit and miss if it were successful on occasion. Not sure, as I haven't seen it happen myself, but there are enough reports and details within them here that show switching away from 8.8.8.8/8.8.4.4/4.2.2.2/4.2.2.1 fixes their issues that it appears the most likely cause. It's also possible someone's hijacking 8.8.8.0/24, 8.8.4.0/24, etc. routes in Internet BGP with some degree of success, but a glance at some BGP looking glasses makes that seem unlikely. 

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: unbound cache poisoning question
« Reply #18 on: January 28, 2015, 11:58:08 pm »
If it's fixed now, I still want to know what was happening to cause it....

Based on what people have reported thus far, I'm thinking there is some successful cache poisoning happening against Google and Level 3's public DNS. By the nature of how such anycasted services work, it would probably be very hit and miss if it were successful on occasion. Not sure, as I haven't seen it happen myself, but there are enough reports and details within them here that show switching away from 8.8.8.8/8.8.4.4/4.2.2.2/4.2.2.1 fixes their issues that it appears the most likely cause. It's also possible someone's hijacking 8.8.8.0/24, 8.8.4.0/24, etc. routes in Internet BGP with some degree of success, but a glance at some BGP looking glasses makes that seem unlikely.

So best practice here would be to simply not use those and have unbound strictly deal with the roots?

Offline cmb

  • Hero Member
  • *****
  • Posts: 11226
  • Karma: +896/-7
    • View Profile
    • Chris Buechler
Re: unbound cache poisoning question
« Reply #19 on: January 29, 2015, 02:26:12 am »
So best practice here would be to simply not use those and have unbound strictly deal with the roots?

Yes, less susceptibility to this type of thing in that case. Granted, what's apparently happening here should really never happen, but there have been instances of cache poisoning a number of times in the past with such DNS services.

Offline wagonza

  • Sr. Member
  • ****
  • Posts: 394
  • Karma: +8/-1
    • View Profile
    • The Packet Hub
Re: unbound cache poisoning question
« Reply #20 on: January 29, 2015, 07:48:31 am »
If you see its the same domains that are always being affected then there may be a possibility that the NS's themselves have data that differs from one another.