Project

General

Profile

Actions

Bug #4023

closed

allowed networks in Unbound inadequate

Added by Chris Buechler about 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
High
Category:
DNS Resolver
Target version:
Start date:
11/17/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Description

Unbound defaults to only answering queries from 127.0.0.1, and you add specific allowed networks to permit queries. This is nice in that it should prevent taking part in many DNS reflection DDoS attacks, for those who use way too permissive of firewall rules or stupid port forwards.

Currently this list is automatically built including the interface IPv4 subnet of all interfaces where it's enabled. This is missing quite a few possibilities where typical use cases will be refused.

1) IPv6
2) VIPs
3) static routes
4) VPNs

maybe others. I need to think through this one a bit more to have a good resolution. Thinking just allow RFC1918 by default for v4, and figure out something for v6.

Actions

Also available in: Atom PDF