Unbound and Experimental Bit 0x20 Support



  • Hi all,

    I have been reading up a little bit on the "Experimental Bit 0x20 Support" option in Unbound as a means to improve security.

    https://developers.google.com/speed/public-dns/docs/security#randomizing_choice_of_name_servers
    https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00

    Would you guys generally recommend that this be enabled?  Or is there a possibility that things might break?  Thanks in advance for your insight, I really appreciate it.



  • Hi,
    @tman222:


    Would you guys generally recommend that this be enabled?

    I guess the pfSense isn't actually  "recommending" it, as in that case it would be activated by default.
    @tman222:


    Or is there a possibility that things might break?

    As the Google page said : some name servers do not react well and send back NXDOMAIN responses when queried with dOmain.tld instead of domain.tld. They have the possibility to build huge lists with name servers that handle the situation correctly, and others that don't (See what Google said : 70 % does, so 30 % doesn't).
    pfSense couldn't maintain such a list.

    My point of view : if this "bit 6" (0xc20) trick was that great, it would have been enabled by the unbound authors by default.

    From what I made of this : https://serverfault.com/questions/759934/can-dns-response-answers-be-in-a-different-case-than-the-query
    When you are asking for google.com and you (your resolver) got back a reply like
    google.coM (and the IP of course)
    the reply would be rejected.
    Or, google.coM and google.com should be considered as the same thing.

    What would you do ?
    Btw, I guess you would find a discussion here https://www.unbound.net/ and here https://www.isc.org/downloads/bind/ - these two cover the vast majority off all name resolving on the net.


  • LAYER 8 Global Moderator

    I have it set and have not run into anything that doesn't resolve..

    But doesn't mean that half of the domains you visit will won't be broken if you turn it on, etc. There was a thread awhile back about enabling another option where you only send the portion looking for when resolving… ie setting qname-minimisation

    That broke a ton of shit right out of the gate..

    If your curious turn it on - does stuff not resolve?  If you are unclear on how to troubleshoot dns is vs another sort of issue causing you a problem then you prob should not enable such a feature.  But if your familiar enough with troubleshooting why something doesn't work and how to test if your problem is related to that feature or not then sure turn it on and give it a go..


Log in to reply