Current private-address default?
Fredrik Pettai
pettai at sunet.se
Mon Apr 25 12:55:46 UTC 2022
Hi,
It was some years since this option was added (unbound 1.5.7 I think).
As per the man page for unbound.conf:
...skipping...
private-address: <IP address or subnet>
Give IPv4 of IPv6 addresses or classless subnets. These are
addresses on your private network, and are not allowed to be
returned for public internet names. Any occurrence of such
addresses are removed from DNS answers. Additionally, the DNSSEC
validator may mark the answers bogus. This protects against
so-called DNS Rebinding, where a user browser is turned into a
network proxy, allowing remote access through the browser to
other parts of your private network. Some names can be allowed
to contain your private addresses, by default all the local-data
that you configured is allowed to, and you can specify addi‐
tional names using private-domain. No private addresses are
enabled by default. We consider to enable this for the RFC1918
private IP address space by default in later releases. That
would enable private addresses for 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16 169.254.0.0/16 fd00::/8 and fe80::/10, since the
RFC standards say these addresses should not be visible on the
public internet.
Q: Are there any plans to update this and add the RFC1918 addresses
as non-resolvable by default ?
(I’ve noticed that we do see some errors that is an artefact of unbound still are
allowing those by default)
Re,
/P
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220425/bc2b343d/attachment.bin>
More information about the Unbound-users
mailing list