3. Unbound - RFC1918 PTRs vs. Private Address support/Domain Overrides

Unbound - RFC1918 PTRs vs. Private Address support/Domain Overrides

  • D
    Banned

    Well, if you check the "Private Address support" checkbox, you get this in unbound.conf:

    
# For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10

    Adding Domain Overrides for reverse lookup zones does something like this (assuming the DNS server IP is 10.0.0.1):

    
# Set private domains in case authorative name server returns a RFC1918 IP address
private-domain: "10.in-addr.arpa"
domain-insecure: "10.in-addr.arpa"
private-domain: "168.192.in-addr.arpa"
domain-insecure: "168.192.in-addr.arpa"

...

# Domain overrides
stub-zone:
        name: "10.in-addr.arpa"
        stub-addr: 10.0.0.1
        stub-prime: no
stub-zone:
        name: "168.192.in-addr.arpa"
        stub-addr: 10.0.0.1
        stub-prime: no

    All of the above stuff done by domain overrides is however completely useless due to the private-address stuff added before. To make reverse lookups really work with RFC1918 IPs, you need to do the following in advanced settings:

    
server:; local-zone: "10.in-addr.arpa." nodefault;server:; local-zone: "168.192.in-addr.arpa." nodefault;

    Hmmmm… do not think this is what's been intended.

    0
  • W

    I pushed a fix for this now.

    0
  • D
    Banned

    @wagonza:

    I pushed a fix for this now.

    OK… thanks. Forgot I posted this, so, my fault - can you use please use transparent instead of nodefault?. Reason being, nodefault only works with zones like 10.in-addr.arpa, transparent works with much more granular ones, such as 0.0.10.in-addr.arpa as documented.

    You can also selectively unblock a part of the zone by making that part transparent with a local-zone statement.  This also works with the other default zones.

    0
  • W

    @doktornotor:

    OK… thanks. Forgot I posted this, so, my fault - can you use please use transparent instead of nodefault?. Reason being, nodefault only works with zones like 10.in-addr.arpa, transparent works with much more granular ones, such as 0.0.10.in-addr.arpa as documented.

    Whoops yeah that was meant to be transparent. Now fixed

    0
  • D
    Banned

    Excellent, all works without any custom config lines now! Thanks!

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy