Project

General

Profile

Actions

Bug #4014

closed

Unbound private reverse lookup domain overrides not working

Added by Phillip Davis about 10 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
DNS Resolver
Target version:
Start date:
11/16/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Description

If I add a domain override for reverse lookups in some private address space, unbound never returns answers to any reverse lookup queries for that. e.g.
49.10.in-addr.arpa 10.49.32.1

It should send reverse lookup queries for IP addresses in 10.49.0.0/16 to the DNS server at 10.49.32.1 for resolution.

I have a fix for this - will submit pull request.


Files

Reverse-domain-override.png (14.4 KB) Reverse-domain-override.png Phillip Davis, 11/16/2014 03:21 AM
Actions #1

Updated by Phillip Davis about 10 years ago

Pull request added: https://github.com/pfsense/pfsense/pull/1340
And attached is a sample of the GUI entry for a reverse domain override of some private address space.

Actions #2

Updated by Warren Baker about 10 years ago

In the latest release (v1.5.0 as of today), there is a new option unblock-lan-zones which is detailed as follows:

- -   Feature, unblock-lan-zones: yesno that you can use to make unbound
perform 10.0.0.0/8 and other reverse lookups normally, for use if
unbound is running service for localhost on localhost.

This may help with this (especially since Unbound from ports is now been used).

Actions #3

Updated by Phillip Davis about 10 years ago

Now works for me on Tue Nov 18 23:43:52 CST 2014 build, reverse looking up internal private IPv4 addresses by having an override like 42.10.in-addr.arpa pointing to the internal Windows Server that has those reverse PTR records.
Someone else could also verify that this is working, since I did the code.

It would also be easy to just set "unblock-lan-zones: yes" - but then I suspect that for the parts of private address space that do not have a reverse lookup domain override defined in the config, the reverse lookups of private IPs will get forwarded to the default place, upstream, which is normally to public internet servers. We do not really want that.

Actions #4

Updated by Chris Buechler about 10 years ago

  • Status changed from New to Resolved

I think the way things are now is best, don't want to be hitting the roots (or forwarders) for PTRs on RFC 1918 in the vast majority of use cases.

Actions #5

Updated by Warren Baker about 10 years ago

Chris Buechler wrote:

I think the way things are now is best, don't want to be hitting the roots (or forwarders) for PTRs on RFC 1918 in the vast majority of use cases.

yeah agreed, however DNSMasq does relay these queries on - as I am sure 99% of other home dsl routers do.

Actions #6

Updated by Phillip Davis about 10 years ago

Yes, they do - quote from http://en.wikipedia.org/wiki/Blackhole_server
"According to IANA, the blackhole servers receive thousands of queries every second."
The public internet has gone to the effort to set up a bunch of servers to give back NXDOMAIN for these rubbish requests.
It is best if pfSense is a good net citizen and does not add to this crud.

Actions

Also available in: Atom PDF