
Ostif.org Unbound DNS Audit Results – 1 Crit – 5 High – 5 Med - ProbablyDerekZ
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
======
tptacek
It's baffling to me that we're still running DNS servers written in C. DNS is
not that hard to provide!

~~~
ignoramous
Unbound was prototyped in Java, they moved to C for speed [0].

Genuine question: Which languages would you rather DNS servers/resolvers be
written in?

Consequently, if you do not mind, which DNS server and resolver do you use?

[0]
[https://en.wikipedia.org/wiki/Unbound_(DNS_server)#History](https://en.wikipedia.org/wiki/Unbound_\(DNS_server\)#History)

~~~
pcwalton
They rewrote in 2006. The JVM was not where it is today in 2006.

You could always use Rust if bare-metal speed is important to you. But, as I'm
sure tptacek will point out (and which I agree with), Go or Java or most other
high-performance memory safe languages would be perfectly reasonable as well.

~~~
tptacek
What amazes me about this, and I'm prepared to be wrong but my confidence
level is sort of high, is that you could implement most DNS servers, and, I
believe, virtually any authority server in _any language at all_ and it'd be
fine. Forget Rust and Go; you could do it in Perl.

~~~
colmmacc
I've contributed to unbound, and I wrote a lot of the DNS server that we use
at Amazon. The main security risk in DNS is DDOS; it's by far the biggest
concern and day to day pain, and a big part of a strategy for dealing with it
having really high performance. 100s of thousands of QPS per core kind of
performance.

A lot of this boils down to using direct networking plumbing tricks and
optimizing query handling into very fast flat memory lookups. A garbage
collected language would be a terrible choice.

C is still the most common solution, but if I were writing a DNS server today,
I'd go with rust.

~~~
tptacek
To be clear, I don't think you could write Route53's DNS servers in Perl. It'd
rather be my contention that most people running their own DNS servers don't
need the kind of resilience that Route53 has (if they did, they'd be using
Route53).

------
jwilk
Links to commits:

[https://github.com/NLnetLabs/unbound/commit/09845779d5f2c96e...](https://github.com/NLnetLabs/unbound/commit/09845779d5f2c96e3064ff398cad65c08357cfbf)
Shell Injection in IPSECMOD

[https://github.com/NLnetLabs/unbound/commit/b60c4a472c856f0a...](https://github.com/NLnetLabs/unbound/commit/b60c4a472c856f0a98120b7259e991b3a6507eb5)
Uninitialized Memory in worker_handle_request()

[https://github.com/NLnetLabs/unbound/commit/f887552763477a60...](https://github.com/NLnetLabs/unbound/commit/f887552763477a606a9608b0f6b498685e0f6587)
Config Injection in create_unbound_ad_servers.sh

[https://github.com/NLnetLabs/unbound/commit/226298bbd36f1f0f...](https://github.com/NLnetLabs/unbound/commit/226298bbd36f1f0fd9608e98c2ae85988b7bbdb8)
Integer Overflow in Regional Allocator

[https://github.com/NLnetLabs/unbound/commit/a3545867fcdec503...](https://github.com/NLnetLabs/unbound/commit/a3545867fcdec50307c776ce0af28d07046a52dd)
Integer Overflow in sldns_str2wire_dname_buf_origin()

[https://github.com/NLnetLabs/unbound/commit/fa23ee8f31ba9a01...](https://github.com/NLnetLabs/unbound/commit/fa23ee8f31ba9a018c720ea822faaee639dc7a9c)
Out of Bounds Write in sldns_bget_token_par()

[https://github.com/NLnetLabs/unbound/commit/f5e06689d193619c...](https://github.com/NLnetLabs/unbound/commit/f5e06689d193619c57c33270c83f5e40781a261d)
Assert Causing DoS in synth_cname()

[https://github.com/NLnetLabs/unbound/commit/d2eb78e871153f22...](https://github.com/NLnetLabs/unbound/commit/d2eb78e871153f22332d30c6647f3815148f21e5)
Assert Causing DoS in dname_pkt_copy()

[https://github.com/NLnetLabs/unbound/commit/02080f6b180232f4...](https://github.com/NLnetLabs/unbound/commit/02080f6b180232f43b77f403d0c038e9360a460f)
Integer Overflows in Size Calculations

[https://github.com/NLnetLabs/unbound/commit/2d444a5037acff60...](https://github.com/NLnetLabs/unbound/commit/2d444a5037acff6024630b88092d9188f2f5d8fe)
Insufficient Handling of Compressed Names in dname_pkt_copy()

[https://github.com/NLnetLabs/unbound/commit/6c3a0b54ed8ace93...](https://github.com/NLnetLabs/unbound/commit/6c3a0b54ed8ace93d5b5ca7b8078dc87e75cd640)
Out of Bound Write Compressed Names in rdata_copy()

~~~
tinus_hn
The first one is truly terrible, everyone who commits to a project like this
should understand that passing network data to a shell is a recipe for
disaster. The proper fix is not to validate the arguments, the proper fix is
not to use the shell at all. Luckily this appears to be an optional plugin.

Party like it’s 1975 indeed.

~~~
watermelon0
Using execve() and friends should be preferred, unless you have a really good
reason for spawning a shell.

