[Unbound-users] "outgoing tcp": connect failed due to link-local destinations (and other bogus addresses)
Jeroen Massar
jeroen at massar.ch
Tue Sep 9 21:57:12 UTC 2014
On 2014-09-09 23:50, Yuri Schaeffer wrote:
> Hi Jeroen,
>
>> (Browsers going to connect to local sites (RFC1918/link-local etc)
>> is of course a scary thing when it a remote site specifying some
>> remotely controlled DNS server specifying those local addresses,
>> but that is a browser issue).
>
> Using the "private-address" directive in unbound.conf, Unbound can
> protect you against such DNS rebinding attacks.
fe80::/10 should be in there per default then as without scope (which
AAAA records do not carry) one cannot connect to them anyway.
> Could you elaborate on the significance of querying multicast addresses?
Unless one is trying to stuff a NS record pointing to mDNS (which won't
work globally and thus does not belong in a DNS AAAA record) it is
pretty futile.
Next to that there is a little bit of packet amplification, that
depending on the multicast-scope and router configuration can reach
quite far.
Like fe80::/10 not a useful thing to send packets too though, hence
should be considered unreachable per default.
Greets,
Jeroen
More information about the Unbound-users
mailing list