Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound - RFC1918 PTRs vs. Private Address support/Domain Overrides

    pfSense Packages
    2
    5
    2454
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      doktornotor Banned
      last edited by

      Well, if you check the "Private Address support" checkbox, you get this in unbound.conf:

      
      # For DNS Rebinding prevention
      private-address: 10.0.0.0/8
      private-address: 172.16.0.0/12
      private-address: 192.168.0.0/16
      private-address: 192.254.0.0/16
      private-address: fd00::/8
      private-address: fe80::/10
      
      

      Adding Domain Overrides for reverse lookup zones does something like this (assuming the DNS server IP is 10.0.0.1):

      
      # Set private domains in case authorative name server returns a RFC1918 IP address
      private-domain: "10.in-addr.arpa"
      domain-insecure: "10.in-addr.arpa"
      private-domain: "168.192.in-addr.arpa"
      domain-insecure: "168.192.in-addr.arpa"
      
      ...
      
      # Domain overrides
      stub-zone:
              name: "10.in-addr.arpa"
              stub-addr: 10.0.0.1
              stub-prime: no
      stub-zone:
              name: "168.192.in-addr.arpa"
              stub-addr: 10.0.0.1
              stub-prime: no
      
      

      All of the above stuff done by domain overrides is however completely useless due to the private-address stuff added before. To make reverse lookups really work with RFC1918 IPs, you need to do the following in advanced settings:

      
      server:; local-zone: "10.in-addr.arpa." nodefault;server:; local-zone: "168.192.in-addr.arpa." nodefault;
      
      

      Hmmmm… do not think this is what's been intended.

      1 Reply Last reply Reply Quote 0
      • W
        wagonza
        last edited by

        I pushed a fix for this now.

        Follow me on twitter http://twitter.com/wagonza
        http://www.thepackethub.co.za

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          @wagonza:

          I pushed a fix for this now.

          OK… thanks. Forgot I posted this, so, my fault - can you use please use transparent instead of nodefault?. Reason being, nodefault only works with zones like 10.in-addr.arpa, transparent works with much more granular ones, such as 0.0.10.in-addr.arpa as documented.

          You can also selectively unblock a part of the zone by making that part transparent with a local-zone statement.  This also works with the other default zones.

          1 Reply Last reply Reply Quote 0
          • W
            wagonza
            last edited by

            @doktornotor:

            OK… thanks. Forgot I posted this, so, my fault - can you use please use transparent instead of nodefault?. Reason being, nodefault only works with zones like 10.in-addr.arpa, transparent works with much more granular ones, such as 0.0.10.in-addr.arpa as documented.

            Whoops yeah that was meant to be transparent. Now fixed

            Follow me on twitter http://twitter.com/wagonza
            http://www.thepackethub.co.za

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              Excellent, all works without any custom config lines now! Thanks!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post