Unbound is a validating, recursive, and caching DNS resolver.
BSD-3-CLAUSE License
Bot releases are hidden (Show)
Unbound 1.19.3
This release has a number of bug fixes. The CNAME synthesized for a
DNAME record uses the original TTL, of the DNAME record, and that means
it can be cached for the TTL, instead of 0.
There is a fix that when a message was stored in cache, but one of the
RRsets was not updated due to cache policy, it now restricts the message
TTL if the cache version of the RRset has a shorter TTL. It avoids a
bug where the message is not expired, but its contents is expired.
For dnstap, it logs type DoH and DoT correctly, if that is used for
the message.
The b.root-servers.net address is updated in the default root hints.
When performing retries for failed sends, a retry at a smaller UDP size
is now not performed when that attempt is not actually smaller, and at
defaults, since the flag day changes, it is the same size. This makes
it skip the step, it is useless because there is no reduction in size.
Clients with a valid DNS Cookie will bypass the ratelimit, if one is
set. The value from ip-ratelimit-cookie is used for these queries.
Furthermore there is a fix to make correct EDE Prohibited answers for
access control denials, and a fix for EDNS client subnet scope zero
answers.
Features:
Bug Fixes:
Published by wcawijngaards 8 months ago
Unbound 1.19.2
This security release fixes CVE-2024-1931.
NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1
contain a vulnerability that can cause denial of service by a certain
code path that can lead to an infinite loop.
Unbound 1.18.0 introduced a feature that removes EDE records from
responses with size higher than the client's advertised buffer size.
Before removing all the EDE records however, it would try to see if
trimming the extra text fields on those records would result in an
acceptable size while still retaining the EDE codes.
Due to an unchecked condition, the code that trims the text of the EDE
records could loop indefinitely.
This happens when Unbound would reply with attached EDE information on a
positive reply and the client's buffer size is smaller than the needed
space to include EDE records.
The vulnerability can only be triggered when the 'ede: yes' option is
used; non default configuration.
From version 1.19.2 on, the code is fixed to avoid looping indefinitely.
We would like to thank Fredrik Pettai and Patrik Lundin from SUNET for
notifying us about the issue and working with us to identify the
vulnerability.
Bug Fixes:
Published by wcawijngaards 8 months ago
Unbound 1.19.1
This security release fixes two DNSSEC validation vulnerabilities:
CVE-2023-50387 (referred here as the KeyTrap vulnerability) and
CVE-2023-50868 (referred here as the NSEC3 vulnerability).
The KeyTrap vulnerability works by using a combination of Keys (also
colliding Keys), Signatures and number of RRSETs on a malicious zone.
Answers from that zone can force a DNSSEC validator down a very CPU
intensive and time costly validation path.
The NSEC3 vulnerability uses specially crafted responses on a malicious
zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very
CPU intensive and time costly NSEC3 hash calculation path.
Both can force Unbound to spend an enormous time (comparative to regular
traffic) validating a single specially crafted DNSSEC response while
everything else is on hold for that thread. A trivially orchestrated
attack could render all threads busy with such responses leading to
denial of service.
From version 1.19.1 on, Unbound introduces suspension on DNSSEC response
validations that seem to require more attempts than Unbound is willing
to make per response validation run. Suspension means that Unbound
will continue with other work before resuming a suspended validation
offering CPU time between validation resumptions to other tasks. There is
a backoff timer when suspending which is further influenced by the number
of suspends already used and the amount of work currently in Unbound.
The introduced builtin limits in Unbound are:
While under attack Unbound could show higher CPU load because of the
needed validations but the suspend strategy would guarantee the CPU is
not locked on any particular validation task.
We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and
Michael Waidner from the German National Research Center for Applied
Cybersecurity ATHENE for discovering and responsibly disclosing the
KeyTrap vulnerability.
We would like to thank Petr Špaček from ISC for discovering and
responsibly disclosing the NSEC3 vulnerability.
Bug Fixes
Published by wcawijngaards 12 months ago
Unbound 1.19.0
This release fixes a number of bugs, and adds some smaller features.
The redis-logical-db
option and cachedb-no-store
option can be used
for cachedb configuration. The disable-edns-do
option can be used for
working around broken network parts. For DNS64 there is fallback to
plain AAAA when no A record exists.
There is a bug fix that when the UDP interface keeps returning that
sending is not possible, unbound does not loop endlessly and waits
for the condition to go away.
Resource records of type A and AAAA that are an inappropriate length
are removed from responses. This hardens against bad content.
Features
Bug Fixes