I'm trying to stop unbound replying to my RFC918 ip address space on the WAN interface.
I've added the following to the Custom options, but digs are still responding with RFC1918 addresses when I point the following URL to my WAN interface :-
I don't think I even need it looking at https://www.unbound.net/documentation/unbound.conf.html :-
private-address: <ip address="" or="" subnet="">Give IPv4 of IPv6 addresses or classless subnets. These are
addresses on your private network, and are not allowed to be
returned for public internet names. Any occurrence of such
addresses are removed from DNS answers. Additionally, the DNSSEC
validator may mark the answers bogus. This protects against
so-called DNS Rebinding, where a user browser is turned into a
network proxy, allowing remote access through the browser to
other parts of your private network. Some names can be allowed
to contain your private addresses, by default all the local-data
that you configured is allowed to, and you can specify addi-
tional names using private-domain. No private addresses are
enabled by default. We consider to enable this for the RFC1918
private IP address space by default in later releases. That
would enable private addresses for 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16 169.254.0.0/16 fd00::/8 and fe80::/10, since the
RFC standards say these addresses should not be visible on the
public internet. Turning on 127.0.0.0/8 would hinder many spam-
blocklists as they use that. Adding ::ffff:0:0/96 stops
IPv4-mapped IPv6 addresses from bypassing the filter.
Anyone got any tips?</ip>
"I'm trying to stop unbound replying to my RFC918 ip address space on the WAN interface."
huh?? Out of the box unbound would not be able to respond to anything coming in your wan.. for starters all rfc1918 inbound to your wan would be blocked by the rfc1918 rule even if you created a allow rule to your wan address.
So you go to that url and put in what exactly?? That is just an online version of dig - it has zero to do with your pfsense answering anything. What exactly are you putting in there that would get you to think unbound is responding on your wan?
Post up your wan rules. Also you can tell unbound not to even listen on your wan, and only using it as your outgoing query interface. In the unbound setup web gui - resolver in pfsense. Which defaults to all for both listen and query.
I want it to reply for lookups for my IPv6 address space and additional records for my WAN IPv4 address that I'm port forwarding rather than using bind.
I'll drop you a PM.
Funny enough I was just looking at one of your posts re ntp on the Ubiquity AP's :)
And does your isp point your ipv6 space to your NS for PTR?? Or you using HE ipv6? HE will answer for your IPv6 space and and even PTR..
Not really a fan of running your own NS to the public.. Much easier, safer and reliable to just let the people that do dns as a living do it.. Your registrar, your dns service provider or someone like HE.. They give you like 50 domains or something.. And full control of the ipv6 space you get from them.
And does your isp point your ipv6 space to your NS for PTR??
My ISP are in the process of repointing my NS, sadly I can alter my IPv4 records using their tools but they won't do IPv6.
It's only for me to play about with and there aren't many entries.
"It's only for me to play about with and there aren't many entries."
Your still hosting dns to the public.. BAD IDEA!!! Host your dns elsewhere… Where is your 2nd NS? You really need to have 2...
And sorry unbound is not designed to be an authoritative NS.. If you want install the bind package..
And that domain your using.. I show it pointing here
yourdomain.net. 3600 IN SOA ns0.zen.co.uk. netman.zen.co.uk. 2017030305 14400 1800 604800 86400
What your doing is a really bad idea and makes no sense.. You can host up your domain for FREE multiple places and point to ipv4 and or ipv6..
If you want to play - I have a domain I like to play with for dnssec signing, etc. I host it on vps that I gte for 15$ a year.. Yeah I have 2 of them, because its not proper dns to only have 1.. There are only a few records in it, both ipv4 and ipv6.. It is my play box for doing stuff with dnssec.. And yeah it points to my other vps, and my home IPs.. etc..
I would never in a million years host up NS services off my home connection.. ZERO point to to it!! Also too easy to make a mistake and now your connection is offline because your part of dns amplification attack.. Want to host up dns to your local network - sure been doing that for years and years.. Hosting to the public is a not something that makes any sense to do off your home connection. Nor does rarely make sense for even the largest of enterprises. It makes sense when your in the business of serving dns ;)