Project

General

Profile

Actions

Bug #7884

closed

Unbound refusing non-recursive/iterative queries even from localhost

Added by Kill Bill over 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Low
Assignee:
-
Category:
DNS Resolver
Target version:
Start date:
09/21/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

This is so much secure that it's annoying and getting in the way of normal work for not exactly any good reason.

# dig www.google.com +trace

; <<>> DiG 9.11.2 <<>> www.google.com +trace
;; global options: +cmd
;; Received 12 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

Wonderful and very "useful". So what's really going on is this:

# dig ns . +norecur

; <<>> DiG 9.11.2 <<>> ns . +norecur
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57656
;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 21 16:40:09 CEST 2017
;; MSG SIZE  rcvd: 12

Suggested fix for more useful default ACLs for localhost available @ https://github.com/pfsense/pfsense/pull/3826

Actions #1

Updated by Jim Pingle over 7 years ago

  • Status changed from New to Confirmed

PR looks good and the change lets dig +trace and drill -T work locally.

Actions #2

Updated by Anonymous about 7 years ago

On pfSense-netgate-memstick-ADI-2.4.1-DEVELOPMENT-amd64-20171016-1127.img "dig google.com +trace" and "drill -T google.com" both succeed.

Actions #3

Updated by Jim Pingle about 7 years ago

  • Status changed from Confirmed to Resolved
Actions

Also available in: Atom PDF