- Feature, unblock-lan-zones: yesno that you can use to make unbound

perform 10.0.0.0/8 and other reverse lookups normally, for use if
  unbound is running service for localhost on localhost.


git-svn-id: file:///svn/unbound/trunk@3133 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,8 @@
+20 May 2014: Wouter
+	- Feature, unblock-lan-zones: yesno that you can use to make unbound
+	  perform 10.0.0.0/8 and other reverse lookups normally, for use if
+	  unbound is running service for localhost on localhost.
+
 16 May 2014: Wouter
 	- Updated create_unbound_ad_servers and unbound_cache scripts from
 	  Yuri Voinov in the source/contrib directory. Added

doc/example.conf.in

@@ -437,7 +437,7 @@ server:
 	# the amount of memory to use for the negative cache (used for DLV).
 	# plain value in bytes or you can append k, m or G. default is "1Mb". 
 	# neg-cache-size: 1m
-
+	
 	# By default, for a number of zones a small default 'nothing here'
 	# reply is built-in.  Query traffic is thus blocked.  If you
 	# wish to serve such zone you can unblock them by uncommenting one
@@ -479,6 +479,13 @@ server:
 	# local-zone: "b.e.f.ip6.arpa." nodefault
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
+	
+	# if unbound is running service for the local host then it is useful
+	# to perform lan-wide lookups to the upstream, and unblock the
+	# long list of local-zones above.  If this unbound is a dns server
+	# for the network, likely the default is better and stops information
+	# leakage of local lan information.
+	# unblock-lan-zones: no
 
 	# a number of locally served zones can be configured.
 	# 	local-zone: <zone> <type>

doc/unbound.conf.5.in

@@ -780,6 +780,16 @@ Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
 or gigabytes (1024*1024 bytes in a megabyte).
 .TP
+.B unblock\-lan\-zones: \fI<yesno>
+Default is disabled.  If enabled, then for private address space,
+the reverse lookups are no longer filtered.  This allows unbound when
+running as dns service on a host where it provides service for that host,
+to put out all of the queries for the 'lan' upstream.  By default is no,
+that is for unbound running as a (DHCP-) DNS network resolver for a group
+of machines, where such lookups should be filtered (RFC compliance),
+this also stops potential data leakage about the local network to the
+upstream DNS servers.
+.TP
 .B local\-zone: \fI<zone> <type>
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,

services/localzone.c

@@ -594,6 +594,8 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
 
 	/* this list of zones is from RFC 6303 */
 
+	/* block localhost level zones, first, later the LAN zones */
+
 	/* localhost. zone */
 	if(!lz_exists(zones, "localhost.") &&
 		!lz_nodefault(cfg, "localhost.")) {
@@ -650,6 +652,14 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
 		}
 		lock_rw_unlock(&z->lock);
 	}
+
+	/* if unblock lan-zones, then do not add the zones below.
+	 * we do add the zones above, about 127.0.0.1, because localhost is
+	 * not on the lan. */
+	if(cfg->unblock_lan_zones)
+		return 1;
+
+	/* block LAN level zones */
 	if (	!add_as112_default(zones, cfg, "10.in-addr.arpa.") ||
 		!add_as112_default(zones, cfg, "16.172.in-addr.arpa.") ||
 		!add_as112_default(zones, cfg, "17.172.in-addr.arpa.") ||

util/config_file.c

@@ -203,6 +203,7 @@ config_create(void)
 	cfg->local_zones = NULL;
 	cfg->local_zones_nodefault = NULL;
 	cfg->local_data = NULL;
+	cfg->unblock_lan_zones = 0;
 	cfg->python_script = NULL;
 	cfg->remote_control_enable = 0;
 	cfg->control_ifs = NULL;
@@ -426,6 +427,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("minimal-responses:", minimal_responses)
 	else S_YNO("rrset-roundrobin:", rrset_roundrobin)
 	else S_STRLIST("local-data:", local_data)
+	else S_YNO("unblock-lan-zones:", unblock_lan_zones)
 	else S_YNO("control-enable:", remote_control_enable)
 	else S_STRLIST("control-interface:", control_ifs)
 	else S_NUMBER_NONZERO("control-port:", control_port)
@@ -690,6 +692,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_UNS(opt, "val-override-date", val_date_override)
 	else O_YNO(opt, "minimal-responses", minimal_responses)
 	else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
+	else O_YNO(opt, "unblock_lan_zones", unblock_lan_zones)
 	else O_DEC(opt, "max-udp-size", max_udp_size)
 	else O_STR(opt, "python-script", python_script)
 	else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)

util/config_file.h

@@ -273,6 +273,8 @@ struct config_file {
 	struct config_strlist* local_zones_nodefault;
 	/** local data RRs configged */
 	struct config_strlist* local_data;
+	/** unblock lan zones (reverse lookups for 10/8 and so on) */
+	int unblock_lan_zones;
 
 	/** remote control section. enable toggle. */
 	int remote_control_enable;

util/configlexer.lex

@@ -308,6 +308,7 @@ log-queries{COLON}		{ YDVAR(1, VAR_LOG_QUERIES) }
 local-zone{COLON}		{ YDVAR(2, VAR_LOCAL_ZONE) }
 local-data{COLON}		{ YDVAR(1, VAR_LOCAL_DATA) }
 local-data-ptr{COLON}		{ YDVAR(1, VAR_LOCAL_DATA_PTR) }
+unblock-lan-zones{COLON}	{ YDVAR(1, VAR_UNBLOCK_LAN_ZONES) }
 statistics-interval{COLON}	{ YDVAR(1, VAR_STATISTICS_INTERVAL) }
 statistics-cumulative{COLON}	{ YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
 extended-statistics{COLON}	{ YDVAR(1, VAR_EXTENDED_STATISTICS) }

util/configparser.h

@@ -175,7 +175,8 @@ extern int yydebug;
      VAR_MINIMAL_RESPONSES = 384,
      VAR_RRSET_ROUNDROBIN = 385,
      VAR_MAX_UDP_SIZE = 386,
-     VAR_DELAY_CLOSE = 387
+     VAR_DELAY_CLOSE = 387,
+     VAR_UNBLOCK_LAN_ZONES = 388
    };
 #endif
 /* Tokens.  */
@@ -309,6 +310,7 @@ extern int yydebug;
 #define VAR_RRSET_ROUNDROBIN 385
 #define VAR_MAX_UDP_SIZE 386
 #define VAR_DELAY_CLOSE 387
+#define VAR_UNBLOCK_LAN_ZONES 388
 
 
 
@@ -322,7 +324,7 @@ typedef union YYSTYPE
 
 
 /* Line 2049 of yacc.c  */
-#line 326 "util/configparser.h"
+#line 328 "util/configparser.h"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */

util/configparser.y

@@ -105,7 +105,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
 %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
 %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
-%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
+%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UNBLOCK_LAN_ZONES
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -163,7 +163,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_log_queries | server_tcp_upstream | server_ssl_upstream |
 	server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
 	server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
-    server_so_reuseport | server_delay_close
+	server_so_reuseport | server_delay_close | server_unblock_lan_zones
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -678,6 +678,16 @@ server_delay_close: VAR_DELAY_CLOSE STRING_ARG
 		free($2);
 	}
 	;
+server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG
+	{
+		OUTYY(("P(server_unblock_lan_zones:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->unblock_lan_zones = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_rrset_cache_size: VAR_RRSET_CACHE_SIZE STRING_ARG
 	{
 		OUTYY(("P(server_rrset_cache_size:%s)\n", $2));