Unbound - RFC1918 PTRs vs. Private Address support/Domain Overrides

doktornotor

Well, if you check the "Private Address support" checkbox, you get this in unbound.conf:

# For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10

Adding Domain Overrides for reverse lookup zones does something like this (assuming the DNS server IP is 10.0.0.1):

# Set private domains in case authorative name server returns a RFC1918 IP address
private-domain: "10.in-addr.arpa"
domain-insecure: "10.in-addr.arpa"
private-domain: "168.192.in-addr.arpa"
domain-insecure: "168.192.in-addr.arpa"

...

# Domain overrides
stub-zone:
        name: "10.in-addr.arpa"
        stub-addr: 10.0.0.1
        stub-prime: no
stub-zone:
        name: "168.192.in-addr.arpa"
        stub-addr: 10.0.0.1
        stub-prime: no

All of the above stuff done by domain overrides is however completely useless due to the private-address stuff added before. To make reverse lookups really work with RFC1918 IPs, you need to do the following in advanced settings:

server:; local-zone: "10.in-addr.arpa." nodefault;server:; local-zone: "168.192.in-addr.arpa." nodefault;

Hmmmm… do not think this is what's been intended.

wagonza

I pushed a fix for this now.

doktornotor

@wagonza:

I pushed a fix for this now.

OK… thanks. Forgot I posted this, so, my fault - can you use please use transparent instead of nodefault?. Reason being, nodefault only works with zones like 10.in-addr.arpa, transparent works with much more granular ones, such as 0.0.10.in-addr.arpa as documented.

You can also selectively unblock a part of the zone by making that part transparent with a local-zone statement.  This also works with the other default zones.

wagonza

@doktornotor:

OK… thanks. Forgot I posted this, so, my fault - can you use please use transparent instead of nodefault?. Reason being, nodefault only works with zones like 10.in-addr.arpa, transparent works with much more granular ones, such as 0.0.10.in-addr.arpa as documented.

Whoops yeah that was meant to be transparent. Now fixed

doktornotor

Excellent, all works without any custom config lines now! Thanks!