When Unbound gets a response from an authoritative server without answer section
(NODATA), but with additional section filled (but no referral NS records), it
returns the additional section records to the client.
This can be misused to tunnel data through unsuspicious queries (like A/AAAA) and
can be a potential security risk.
Other DNS resolvers (BIND 9, PowerDNS-Recursor, Knot-Resolver) do not forward
the additional section to the client.
The text was updated successfully, but these errors were encountered:
Unbound removes some of those records, eg. unrelated A/AAAA. This happens in the scrubber.
You could enable minimal-responses, does that remove the problem for you?
So A/AAAA should be removed by the scrubber? Is that not happening? Is it another type that is deemed 'unknown' and we just pass it on, because it looks harmless?
Data tunneling is not something we can really stop, eg. they query for type TXT with that. But this additional looks like something we could remove if minimal-responses is yes. Without that, it does not look like something that has to be removed.
The additional section is there to give additional data. And it looks like that additional data is related to the query somehow.
An issue is that if we restrict the filter to not allow anything that does not fit with the query, in additional, protocol extension is harmed, because it cannot transmit new data in the additional sectoin any more that the resolver has not been designed for yet. So Unbound allows unknown stuff in various types of queries. The filter (scrubber we call it) removes stuff that we can tell is problematic.
Fix is in the commit. It removes the additional section for negative responses, if minimal-responses is enabled. Not the authority section because those entries are needed for DNSSEC and the SOA record for TTL.
- Fix question section mismatch in local zone redirect.
Fixup space in error message.
- FixNLnetLabs#49: Set no renegotiation on the SSL context to stop client session renegotiation.
- FixNLnetLabs#48: Unbound returns additional records on NODATA response, if minimal-responses is enabled, also the additional for negative responses is removed.
- Fix in respip addrtree selection. Absence of addr_tree_init_parents() call made it impossible to go up the tree when the matching netmask is too specific.
- Fix for possible assertion failure when answering respip CNAME from cache.