Unbound - RFC1918 PTRs vs. Private Address support/Domain Overrides
-
Well, if you check the "Private Address support" checkbox, you get this in unbound.conf:
# For DNS Rebinding prevention private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 192.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10
Adding Domain Overrides for reverse lookup zones does something like this (assuming the DNS server IP is 10.0.0.1):
# Set private domains in case authorative name server returns a RFC1918 IP address private-domain: "10.in-addr.arpa" domain-insecure: "10.in-addr.arpa" private-domain: "168.192.in-addr.arpa" domain-insecure: "168.192.in-addr.arpa" ... # Domain overrides stub-zone: name: "10.in-addr.arpa" stub-addr: 10.0.0.1 stub-prime: no stub-zone: name: "168.192.in-addr.arpa" stub-addr: 10.0.0.1 stub-prime: no
All of the above stuff done by domain overrides is however completely useless due to the private-address stuff added before. To make reverse lookups really work with RFC1918 IPs, you need to do the following in advanced settings:
server:; local-zone: "10.in-addr.arpa." nodefault;server:; local-zone: "168.192.in-addr.arpa." nodefault;
Hmmmm… do not think this is what's been intended.
-
I pushed a fix for this now.
-
I pushed a fix for this now.
OK… thanks. Forgot I posted this, so, my fault - can you use please use transparent instead of nodefault?. Reason being, nodefault only works with zones like 10.in-addr.arpa, transparent works with much more granular ones, such as 0.0.10.in-addr.arpa as documented.
You can also selectively unblock a part of the zone by making that part transparent with a local-zone statement. This also works with the other default zones.
-
OK… thanks. Forgot I posted this, so, my fault - can you use please use transparent instead of nodefault?. Reason being, nodefault only works with zones like 10.in-addr.arpa, transparent works with much more granular ones, such as 0.0.10.in-addr.arpa as documented.
Whoops yeah that was meant to be transparent. Now fixed
-
Excellent, all works without any custom config lines now! Thanks!