DNS rebinding prevention blocks public IP range
-
This aught to be an easy question but sure am google eyed. :o
Last I checked 192.254.0.0/16 was not part of the private IP pool. The reason DNS rebinding prevention blocks it? Unbound won't resolve klymit.com unless I disable rebind prevent.
I was searching for a work-around and read to disabled dns forwarder but add a host or domain override there. Nothing about DNSMasq in that GUI section tho. Now the following entries are in the unbound config but not certain how they got there. Can resolve the domain name now. Not sure it still will be after reboot of PfSense. Reads;
DNSMasq Host overrides
local-data-ptr: "192.254.190.194 klymit.com"
local-data: "klymit.com IN A 192.254.190.194" -
Think I found the problem. Simple typo error.
In "Unbound Dns Settings" with "Private Address support" checked enabled, the following lands in the unbound configuration;
For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10If you read;
http://www.unbound.net/documentation/unbound.conf.html it's obvious the addy should be 169.x.x.x not 192.x.x.x which is why klymit.com was not resolving.private-address: <ip address="" or="" subnet=""><snip>We consider to enable this for the RFC1918 private IP address space by default in later releases. That would enable private addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 fd00::/8 and fe80::/10, since the RFC standards say these addresses should not be visible on the public internet. Turning on 127.0.0.0/8 would hinder many spam blocklists as they use that.</snip></ip>
-
Secondly, I thought I could leave "Private Address support" enabled and put a static host in the DNS forwarder which lands the following in the unbound.conf;
DNSMasq Host overrides
local-data-ptr: "192.254.190.194 klymit.com"
local-data: "klymit.com IN A 192.254.190.194"The Private Address support note reads, "Domain Overrides and Host entries will be allowed to return answers if this option is enabled." If this is accurate, shouldn't the override above actually override the rebinding prevention below?
For DNS Rebinding prevention
private-address: 192.254.0.0/16
-
Fixed. Geez that bug has been around for awhile!
Thanks
-
People please revbump the package version when doing similar fixes. Otherwise noone gets a chance to notice and get them.
-
I would revbump if I knew how. ::)