Bug #9586

Unbound Access List /31 UI Issue

Added by matt s 5 months ago. Updated about 1 month ago.

DNS Resolver
Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


Forum Topic:\

Consider the below list of /32s whose queries are to be denied by the DNS Resolver as per the rule policy.

Once attempting to add an additional host to this list, like the below, all the /32s convert to /31s, and you will see the UI does not allow you to revert this back to /32s (happening on multiple browsers). As a result the rules are saved as /31 and 2 hosts are affected by this rule, not one (due to /31). This can be corrected if you re-edit the rule after saving, however to the untrained eye this will cause DNS issues to hosts.

I've noticed this recently as my vCenter Appliance ( stopped resolving hostnames and lost connection to ESX hosts (via FQDN) once I added my client to the deny ruleset. At some point once I made an edit on this page, the /32s converted to /31s, and the rule also affected, my vCenter App.

Is this a known bug? It appears to be very consistent and have noticed it for some time.

Please could some others assist with checking this out on their setups to confirm?

As a feature request, I'd like to see aliases as usable in this menu, is that possible at all?
This will allow us to have more granularity around DNS access lists.

Associated revisions

Revision 7ec80e76 (diff)
Added by Steve Beaver 4 months ago

Fixed #9586 by detecting if option list includes /0 or not

Revision aa08527d (diff)
Added by Steve Beaver about 2 months ago

Fixed #9586 by detecting if option list includes /0 or not

(cherry picked from commit 7ec80e763f7e8357a4e5b0d2d57546cfd5d0f0f0)


#2 Updated by Jim Pingle 5 months ago

  • Status changed from New to Confirmed
  • Assignee set to Steve Beaver
  • Priority changed from High to Normal
  • Target version set to 2.5.0

I can confirm this, but it doesn't have an obvious cause. If I change line 241 to have a minimum of 1, then /32 stays OK, but an IPv6 /128 address is still cut down to /127

It doesn't seem to happen to NTP restrict lists which use the same mechanism, though.

#3 Updated by Steve Beaver 4 months ago

  • Status changed from Confirmed to Feedback

Fixed by detecting if option list includes /0 or not

#4 Updated by Steve Beaver 4 months ago

  • % Done changed from 0 to 100

#5 Updated by Viktor Gurov about 1 month ago

Steve Beaver wrote:

Applied in changeset 7ec80e763f7e8357a4e5b0d2d57546cfd5d0f0f0.

Tested on 2.5.0.a.20191011.1853

correct now:

# cat /var/unbound/access_lists.conf | grep 3[1-2]
access-control: allow_snoop
access-control: allow
access-control: allow
access-control: allow
access-control: allow


#6 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF