Unbound - RFC1918 PTRs vs. Private Address support/Domain Overrides


  • Banned

    Well, if you check the "Private Address support" checkbox, you get this in unbound.conf:

    
    # For DNS Rebinding prevention
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: 192.254.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10
    
    

    Adding Domain Overrides for reverse lookup zones does something like this (assuming the DNS server IP is 10.0.0.1):

    
    # Set private domains in case authorative name server returns a RFC1918 IP address
    private-domain: "10.in-addr.arpa"
    domain-insecure: "10.in-addr.arpa"
    private-domain: "168.192.in-addr.arpa"
    domain-insecure: "168.192.in-addr.arpa"
    
    ...
    
    # Domain overrides
    stub-zone:
            name: "10.in-addr.arpa"
            stub-addr: 10.0.0.1
            stub-prime: no
    stub-zone:
            name: "168.192.in-addr.arpa"
            stub-addr: 10.0.0.1
            stub-prime: no
    
    

    All of the above stuff done by domain overrides is however completely useless due to the private-address stuff added before. To make reverse lookups really work with RFC1918 IPs, you need to do the following in advanced settings:

    
    server:; local-zone: "10.in-addr.arpa." nodefault;server:; local-zone: "168.192.in-addr.arpa." nodefault;
    
    

    Hmmmm… do not think this is what's been intended.



  • I pushed a fix for this now.


  • Banned

    @wagonza:

    I pushed a fix for this now.

    OK… thanks. Forgot I posted this, so, my fault - can you use please use transparent instead of nodefault?. Reason being, nodefault only works with zones like 10.in-addr.arpa, transparent works with much more granular ones, such as 0.0.10.in-addr.arpa as documented.

    You can also selectively unblock a part of the zone by making that part transparent with a local-zone statement.  This also works with the other default zones.



  • @doktornotor:

    OK… thanks. Forgot I posted this, so, my fault - can you use please use transparent instead of nodefault?. Reason being, nodefault only works with zones like 10.in-addr.arpa, transparent works with much more granular ones, such as 0.0.10.in-addr.arpa as documented.

    Whoops yeah that was meant to be transparent. Now fixed


  • Banned

    Excellent, all works without any custom config lines now! Thanks!


Log in to reply