How to remove private-address: from /var/unbound/unbound.conf ?
-
We have a local network with private addresses/names that I have configured to unbound, this is working well. We also have separate networks across VPN connections, they are also using private (10.x.x.x) addresses which are configured to a public DNS. Now, when I query any of those hosts, unbound doesn't return the IP's because the configuration file contains "private-address: 10.0.0.0/8" lines. How can I remove / edit these lines? I can't see anything in the pfSense 2.4.2 web interface for disabling or editing these entries.
It took me a long time to figure out what was wrong - I have unbound running on a separate (linux) host for testing and it works just fine. I thought the problem was with forwarding or firewall or something..
Thanks!
-
Turn off rebind protection if upstream dns is going to return public.
But if you have rfc1918 in a public domain that resolve on the public internet - your doing it WRONG!!~
https://doc.pfsense.org/index.php/DNS_Rebinding_Protections
-
Thanks! It seems to work now. ;D
What is the correct way of setting up a DNS for private names and IPs? Using a local unbound resolver hides the private names from Internet, but on the other hand, VPN clients often use public DNS so they can't see the private names although they can and are supposed to talk to the private hosts.
-
If you have vpn client connecting they should use the local dns through the vpn to resolve rfc1918 address space. It is BAD PRACTICE to put rfc1918 in public dns… The whole point of rebinding protection is to protect against such practice.
If you have site to site vpn connections. Then all your different sites across these site to site connections should be able to resolve what you want them to resolve via internal dns..
so lets say you have site A and site B via vpn connection.
Lets call it siteAdomain.tld and siteBdomain.tld.. Its very simple to tell site A dns to ask siteB dns for host.siteBdomain.tld via either delegation or simple domain override if your using say unbound..