We are pleased to announce the release of version 1.13.0 of the Unbound recursive DNS resolver.
This version has fixes to connect for UDP sockets, slowing down potential ICMP side channel leakage. The fix can be controlled with the option udp-connect: yes, it is enabled by default.
Additionally CVE-2020-28935 is fixed, this solves a problem where the pidfile is altered by a symlink, and fails if a symlink is encountered. See https://nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt for more information.
New features are upstream TCP and TLS query reuse, where a channel is reused for several queries. And http-notls-downstream: yesno for unencrypted DoH, useful for back end support servers. The option infra-keep-probing can be used to probe hosts that are down more frequently.
The options edns-client-string and edns-client-string-opcode can be used to add an EDNS option with the specified string in queries towards servers, with the servers specified by IP address. It replaces the edns-client-tag option.
For a full list of changes and binary and source packages, see the download page.