Maintained by: NLnet Labs

[Unbound-users] problem with NS editnew.net

Michael MacNeill
Wed Jun 11 15:24:31 CEST 2014


Thank you Willem, unbound-host was extremely useful in tracking down 
this problem.

my first test with it came up with the correct answer with no problem.
   unbound-host -d ns2.editnew.net

I then figured out that I could use the same configuration as the daemon
   unbound-host -C unbound.conf -d ns2.editnew.net

and it failed. so something in the config file.
comment and retry until success.
that is when I discovered my giant brain fart.

When I set dns server up I grabbed a full featured config from somewhere.

I'm not sure where I got it, but you can see it here:
https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=143

it includes the lines:
     # Enforce privacy of these addresses. Strips them away from answers.
     # It may cause DNSSEC validation to additionally mark it as bogus.
     # Protects against 'DNS Rebinding' (uses browser as network proxy).
     # Only 'private-domain' and 'local-data' names are allowed to have
     # these private addresses. No default.
     # private-address: 10.0.0.0/8
     # private-address: 172.16.0.0/12
     # private-address: 192.168.0.0/16
     # private-address: 192.254.0.0/16
     # private-address: fd00::/8
     # private-address: fe80::/10

and I uncommented them all. Except that
*    # private-address: 192.254.0.0/16**
***is not a private address space. and is in fact part of the address 
space used by ns2.editnew.net

so using private-address is an effective way to black hole an IP address 
range.

thanks for all the help.

MM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140611/9acc733b/attachment.html>