Maintained by: NLnet Labs

[Unbound-users] Filtering unbound Responses (DNS Rebinding issue)

7v5w7go9ub0o
Fri Aug 8 16:35:40 CEST 2008


Florian Weimer wrote:
>> private IP addresses (127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8,
>> 172.16.0.0/12 and 169.254.0.0/16)
> 
> Filtering 127/8 would break DNSBLs, so you can't really do this.
> 

Sorry; I'm a newbie and don't understand the problem.

1. If I want to install a black list, I'd expect to find it as a 
configuration option.

2. I don't see any configuration items specifically titled "DNSBL"; 
closest option seems to be local-data:

# You can override certain queries with
# local-data: "adserver.example.com A 127.0.0.1"


3. This request simply blocks external replies that resolve to private 
addresses; how could some external name server legitimately resolve to a 
127/8 address within my computer?

At any rate, if it is a configuration alternative, the local 
administrator could determine whether it would be advantageous or 
problematic.

Thank you for considering this!