[Unbound-users] How to config whitelist for EDNS client subnetin unbound
余坤
yukun2005 at gmail.com
Thu Jan 8 00:59:53 UTC 2015
If 0.0.0.0/0 is not a good idea, how about setting the prefix length
as max-client-subnet-ipv4 option?
According to unbound.conf manual,
max-client-subnet-ipv4: <number>
Specifies the maximum prefix length of the client source address we
are willing to expose to third parties for IPv4. Defaults to 24.
Since this is the default prefix length exposed to the DNS server that
supports ECS, the records returned by the DNS server must be optimal for
the prefix with a length set by max-client-subnet-ipv4/6.
On Thu, Jan 8, 2015 at 6:23 AM, Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/06/2015 07:32 PM, Over Dexia wrote:
> > But I believe that would be mitigated by storing the no-ecs
> > response with a source 0.0.0.0/0 (like Kun YU proposed) in the
> > subnet cache. If all queries for that domain use this cache, the
> > reply should be like intended.
>
> Think about what having a scope netmask of 0 means:
> "The most specific answer available for your source IP has the
> first
> 0 bits in common with the address 0.0.0.0"
>
> Thus any query will match this cache entry. Which will result in the
> same behaviour as the current implementation.
>
> //Yuri
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iEYEARECAAYFAlStsfQACgkQI3PTR4mhavjOlACeLaRnZA849R3ZbZcRZcNY45dg
> 5uYAnAzrQzv7SsX6a44y/YM032KGk3Lm
> =T1fI
> -----END PGP SIGNATURE-----
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
--
Kun YU
Ph.D. Candidate, Department of Electronic Engineering, Tsinghua University,
Beijing, 100084, China.
Mobile Phone:+86 13466535220
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20150108/0597c3e2/attachment.htm>
More information about the Unbound-users
mailing list