[Unbound-users] "outgoing tcp": connect failed due to link-local destinations (and other bogus addresses)
wouter at nlnetlabs.nl
Fri Sep 19 07:44:02 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 09/09/2014 11:57 PM, Jeroen Massar wrote:
> On 2014-09-09 23:50, Yuri Schaeffer wrote:
>> Hi Jeroen,
>>> (Browsers going to connect to local sites (RFC1918/link-local
>>> etc) is of course a scary thing when it a remote site
>>> specifying some remotely controlled DNS server specifying those
>>> local addresses, but that is a browser issue).
>> Using the "private-address" directive in unbound.conf, Unbound
>> can protect you against such DNS rebinding attacks.
> fe80::/10 should be in there per default then as without scope
> (which AAAA records do not carry) one cannot connect to them
>> Could you elaborate on the significance of querying multicast
> Unless one is trying to stuff a NS record pointing to mDNS (which
> won't work globally and thus does not belong in a DNS AAAA record)
> it is pretty futile.
> Next to that there is a little bit of packet amplification, that
> depending on the multicast-scope and router configuration can
> reach quite far.
> Like fe80::/10 not a useful thing to send packets too though,
> hence should be considered unreachable per default.
Yes that is true and multicast sends packets to too many destinations.
But then when I look at IPv4 that means blocking a large block of
address space where the RFC seems to talk about MBONE ... I am not
sure if blocking that address space in default DNS resolver
configuration is a good thing for IPv4 (future compatibility)?
multicast: block ff00::/8 and 184.108.40.206/4 and 255.255.255.255/32.
linkscope: block fe80::/10.
(linkscope ipv4 seems to be 220.127.116.11/24, but that is part of the
multicast IPv4 reservation).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the Unbound-users