Sv: Sv: respond with fake IP for DNS rebinding hits?
A.Schulze
sca at andreasschulze.de
Wed Nov 19 18:36:23 UTC 2025
Am 19.11.25 um 18:29 schrieb Sebastian Nielsen via Unbound-users:
> Here is a example:
> goteborg.se
> It has this weird "exists:%{i}.spf.hc2437-76.eu.iphmx.com" which for a valid connection translates to 127.0.0.2
>
> Try with for example, 23.90.102.86.spf.hc2437-76.eu.iphmx.com
>
> You can see here:
> https://mxtoolbox.com/SuperTool.aspx?action=a%3a23.90.102.86.spf.hc2437-76.eu.iphmx.com&run=toolpage
> This 127.0.0.2 gets caugt in the DNS rebinding filter, and then the SPF validation fails.
Now I understand your setup.
man (5) unbound.conf say
private-address:
... We consider to enable this for the RFC1918 private IP address space by default in later releases ...
I assume, "private-address" setting is not set by default for good reasons and the unbound developer
didn't changed that default till today.
I see the value of rebind protection a systems, used by humans.
But a mail server is an other use-case.
One way to solve your issue is to run two resolver instances. One for servers and one for end-user systems,
only the later configured with "private-address".
Andreas
More information about the Unbound-users
mailing list