[Unbound-users] problem with NS editnew.net
Leen Besselink
leen at consolejunkie.net
Wed Jun 11 13:43:03 UTC 2014
On Wed, Jun 11, 2014 at 07:24:31AM -0600, Michael MacNeill wrote:
>
> Thank you Willem, unbound-host was extremely useful in tracking down
> this problem.
>
> my first test with it came up with the correct answer with no problem.
> unbound-host -d ns2.editnew.net
>
> I then figured out that I could use the same configuration as the daemon
> unbound-host -C unbound.conf -d ns2.editnew.net
>
> and it failed. so something in the config file.
> comment and retry until success.
> that is when I discovered my giant brain fart.
>
> When I set dns server up I grabbed a full featured config from somewhere.
>
> I'm not sure where I got it, but you can see it here:
> https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=143
>
> it includes the lines:
> # Enforce privacy of these addresses. Strips them away from answers.
> # It may cause DNSSEC validation to additionally mark it as bogus.
> # Protects against 'DNS Rebinding' (uses browser as network proxy).
> # Only 'private-domain' and 'local-data' names are allowed to have
> # these private addresses. No default.
> # private-address: 10.0.0.0/8
> # private-address: 172.16.0.0/12
> # private-address: 192.168.0.0/16
> # private-address: 192.254.0.0/16
> # private-address: fd00::/8
> # private-address: fe80::/10
>
> and I uncommented them all. Except that
> * # private-address: 192.254.0.0/16**
> ***is not a private address space. and is in fact part of the
> address space used by ns2.editnew.net
>
That is pretty scary, blocking large parts of the Internet.
That should have been:
169.254.0.0/16
Which is the IPv4 link-local address range.
> so using private-address is an effective way to black hole an IP
> address range.
>
> thanks for all the help.
>
> MM
>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
More information about the Unbound-users
mailing list