Current private-address default?
Fredrik Pettai
pettai at sunet.se
Mon Apr 25 19:45:15 UTC 2022
On 25 Apr 2022, at 18:47, Paul Wouters <paul at nohats.ca> wrote:
> On Apr 25, 2022, at 15:12, Fredrik Pettai via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>>
>> Hi,
>>
>> It was some years since this option was added (unbound 1.5.7 I think).
>> As per the man page for unbound.conf:
>>
>> ...skipping...
>> private-address: <IP address or subnet>
>> Give IPv4 of IPv6 addresses or classless subnets. These are
>> addresses on your private network, and are not allowed to be
>> returned for public internet names. Any occurrence of such
>> addresses are removed from DNS answers.
>
>
>>
>> Q: Are there any plans to update this and add the RFC1918 addresses
>> as non-resolvable by default ?
>
> I hope not. I think that would lead to many unexpected failures. I think this is an item that the DNS admin should enable if they are confident.
>
> Additionally, if using unbound on laptops and you getting on via hotspots this would break badly.
After an internal discussion we came to a similar conclusion.
Perhaps the man-page should delete this sentence:
"We consider to enable this for the RFC1918
private IP address space by default in later releases"
…since it hasen’t happened in the last ~7 years now :)
We’re are using this:
do-not-query-address: <RFC1918-addresses>
Perhaps a new complimentary option to "do-not-query-localhost” would be useful.
(For example, a "do-not-query-rfc1918: yes/no” -option)
Thx,
/P
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220425/35614f99/attachment.bin>
More information about the Unbound-users
mailing list