Maintained by: NLnet Labs

[Unbound-users] problem with NS editnew.net

Leen Besselink
Wed Jun 11 15:43:03 CEST 2014


On Wed, Jun 11, 2014 at 07:24:31AM -0600, Michael MacNeill wrote:
> 
> Thank you Willem, unbound-host was extremely useful in tracking down
> this problem.
> 
> my first test with it came up with the correct answer with no problem.
>   unbound-host -d ns2.editnew.net
> 
> I then figured out that I could use the same configuration as the daemon
>   unbound-host -C unbound.conf -d ns2.editnew.net
> 
> and it failed. so something in the config file.
> comment and retry until success.
> that is when I discovered my giant brain fart.
> 
> When I set dns server up I grabbed a full featured config from somewhere.
> 
> I'm not sure where I got it, but you can see it here:
> https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=143
> 
> it includes the lines:
>     # Enforce privacy of these addresses. Strips them away from answers.
>     # It may cause DNSSEC validation to additionally mark it as bogus.
>     # Protects against 'DNS Rebinding' (uses browser as network proxy).
>     # Only 'private-domain' and 'local-data' names are allowed to have
>     # these private addresses. No default.
>     # private-address: 10.0.0.0/8
>     # private-address: 172.16.0.0/12
>     # private-address: 192.168.0.0/16
>     # private-address: 192.254.0.0/16
>     # private-address: fd00::/8
>     # private-address: fe80::/10
> 
> and I uncommented them all. Except that
> *    # private-address: 192.254.0.0/16**
> ***is not a private address space. and is in fact part of the
> address space used by ns2.editnew.net
> 

That is pretty scary, blocking large parts of the Internet.

That should have been:
169.254.0.0/16

Which is the IPv4 link-local address range.

> so using private-address is an effective way to black hole an IP
> address range.
> 
> thanks for all the help.
> 
> MM
> 

> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users