Current private-address default?

Fredrik Pettai pettai at sunet.se
Mon Apr 25 19:45:15 UTC 2022


On 25 Apr 2022, at 18:47, Paul Wouters <paul at nohats.ca> wrote:
> On Apr 25, 2022, at 15:12, Fredrik Pettai via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>> 
>> Hi,
>> 
>> It was some years since this option was added (unbound 1.5.7 I think).
>> As per the man page for unbound.conf:
>> 
>> ...skipping...
>>      private-address: <IP address or subnet>
>>             Give  IPv4  of  IPv6  addresses  or classless subnets. These are
>>             addresses on your private network, and are  not  allowed  to  be
>>             returned  for  public  internet  names.   Any occurrence of such
>>             addresses are removed from DNS answers.
> 
> 
>> 
>> Q: Are there any plans to update this and add the RFC1918 addresses
>> as non-resolvable by default ?
> 
> I hope not. I think that would lead to many unexpected failures. I think this is an item that the DNS admin should enable if they are confident.
> 
> Additionally, if using unbound on laptops and you getting on via hotspots this would break badly.

After an internal discussion we came to a similar conclusion.
Perhaps the man-page should delete this sentence:

	"We consider to enable this for the  RFC1918
	 private  IP  address  space  by  default in later releases"

…since it hasen’t happened in the last ~7 years now :)

We’re are using this:

	do-not-query-address: <RFC1918-addresses>

Perhaps a new complimentary option to "do-not-query-localhost” would be useful.
 (For example, a "do-not-query-rfc1918: yes/no” -option)

Thx,
/P

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220425/35614f99/attachment.bin>


More information about the Unbound-users mailing list