upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix #714: Document config to block private-address for IPv4

Browse source 
mapped IPv6 addresses.


git-svn-id: file:///svn/unbound/trunk@3513 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2015-10-23 07:13:45 +00:00
parent 40c139cd8f
commit f24c3229ea
3 changed files with 21 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
doc/Changelog
View file

@ -1,3 +1,7 @@
23 October 2015: Wouter
- Fix #714: Document config to block private-address for IPv4
mapped IPv6 addresses.
22 October 2015: Wouter
- Fix #712: unbound-anchor appears to not fsync root.key.

1
doc/example.conf.in
View file

@ -315,6 +315,7 @@ server:
# private-address: 169.254.0.0/16
# private-address: fd00::/8
# private-address: fe80::/10
# private-address: ::ffff:0:0/96
# Allow the domain (and its subdomains) to contain private addresses.
# local-data statements are allowed to contain private addresses too.

31
doc/unbound.conf.5.in
View file

@ -587,21 +587,22 @@ Can be given multiple times, for different domains.
.TP
.B private\-address: \fI<IP address or subnet>
Give IPv4 of IPv6 addresses or classless subnets. These are addresses
on your private network, and are not allowed to be returned for public
internet names. Any occurence of such addresses are removed from
DNS answers. Additionally, the DNSSEC validator may mark the answers
bogus. This protects against so\-called DNS Rebinding, where a user browser
is turned into a network proxy, allowing remote access through the browser
to other parts of your private network. Some names can be allowed to
contain your private addresses, by default all the \fBlocal\-data\fR
that you configured is allowed to, and you can specify additional
names using \fBprivate\-domain\fR. No private addresses are enabled
by default. We consider to enable this for the RFC1918 private IP
address space by default in later releases. That would enable private
addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
fd00::/8 and fe80::/10, since the RFC standards say these addresses
should not be visible on the public internet. Turning on 127.0.0.0/8
would hinder many spamblocklists as they use that.
on your private network, and are not allowed to be returned for
public internet names. Any occurence of such addresses are removed
from DNS answers. Additionally, the DNSSEC validator may mark the
answers bogus. This protects against so\-called DNS Rebinding, where
a user browser is turned into a network proxy, allowing remote access
through the browser to other parts of your private network. Some names
can be allowed to contain your private addresses, by default all the
\fBlocal\-data\fR that you configured is allowed to, and you can specify
additional names using \fBprivate\-domain\fR. No private addresses are
enabled by default. We consider to enable this for the RFC1918 private
IP address space by default in later releases. That would enable private
addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
fd00::/8 and fe80::/10, since the RFC standards say these addresses
should not be visible on the public internet. Turning on 127.0.0.0/8
would hinder many spamblocklists as they use that. Adding ::ffff:0:0/96
stops IPv4-mapped IPv6 addresses from bypassing the filter.
.TP
.B private\-domain: \fI<domain name>
Allow this domain, and all its subdomains to contain private addresses.