Bug #4014
closedUnbound private reverse lookup domain overrides not working
0%
Description
If I add a domain override for reverse lookups in some private address space, unbound never returns answers to any reverse lookup queries for that. e.g.
49.10.in-addr.arpa 10.49.32.1
It should send reverse lookup queries for IP addresses in 10.49.0.0/16 to the DNS server at 10.49.32.1 for resolution.
I have a fix for this - will submit pull request.
Files
Updated by Phillip Davis almost 10 years ago
Pull request added: https://github.com/pfsense/pfsense/pull/1340
And attached is a sample of the GUI entry for a reverse domain override of some private address space.
Updated by Warren Baker almost 10 years ago
In the latest release (v1.5.0 as of today), there is a new option unblock-lan-zones which is detailed as follows:
- - Feature, unblock-lan-zones: yesno that you can use to make unbound perform 10.0.0.0/8 and other reverse lookups normally, for use if unbound is running service for localhost on localhost.
This may help with this (especially since Unbound from ports is now been used).
Updated by Phillip Davis almost 10 years ago
Now works for me on Tue Nov 18 23:43:52 CST 2014 build, reverse looking up internal private IPv4 addresses by having an override like 42.10.in-addr.arpa pointing to the internal Windows Server that has those reverse PTR records.
Someone else could also verify that this is working, since I did the code.
It would also be easy to just set "unblock-lan-zones: yes" - but then I suspect that for the parts of private address space that do not have a reverse lookup domain override defined in the config, the reverse lookups of private IPs will get forwarded to the default place, upstream, which is normally to public internet servers. We do not really want that.
Updated by Chris Buechler almost 10 years ago
- Status changed from New to Resolved
I think the way things are now is best, don't want to be hitting the roots (or forwarders) for PTRs on RFC 1918 in the vast majority of use cases.
Updated by Warren Baker almost 10 years ago
Chris Buechler wrote:
I think the way things are now is best, don't want to be hitting the roots (or forwarders) for PTRs on RFC 1918 in the vast majority of use cases.
yeah agreed, however DNSMasq does relay these queries on - as I am sure 99% of other home dsl routers do.
Updated by Phillip Davis almost 10 years ago
Yes, they do - quote from http://en.wikipedia.org/wiki/Blackhole_server
"According to IANA, the blackhole servers receive thousands of queries every second."
The public internet has gone to the effort to set up a bunch of servers to give back NXDOMAIN for these rubbish requests.
It is best if pfSense is a good net citizen and does not add to this crud.