[Unbound-users] "outgoing tcp": connect failed due to link-local destinations (and other bogus addresses)

Simon Deziel simon+unbound at sdeziel.info
Tue Sep 9 21:05:10 UTC 2014

On 09/09/2014 04:45 PM, Jeroen Massar wrote:
> Seems somebody put fe80:: as a AAAA for a NS record in public DNS.
> Would be fun to see what happens when somebody enters:
> $ORIGIN example.com.
> 	NS	ns1.example.com
> ns1	AAAA	ff02::1
> Or something similar, hence, please have a default option for filtering
> out that kind of responses (for at least the outgoing connects by unbound.
> And if there is such an option, should that not be a default?

You can add the following under "server:"

    # Do not connect to IPv6 link-local addresses
    do-not-query-address: fe80::/10


More information about the Unbound-users mailing list