Maintained by: NLnet Labs

[Unbound-users] "outgoing tcp": connect failed due to link-local destinations (and other bogus addresses)

Jeroen Massar
Tue Sep 9 23:57:12 CEST 2014


On 2014-09-09 23:50, Yuri Schaeffer wrote:
> Hi Jeroen,
> 
>> (Browsers going to connect to local sites (RFC1918/link-local etc)
>> is of course a scary thing when it a remote site specifying some
>> remotely controlled DNS server specifying those local addresses,
>> but that is a browser issue).
> 
> Using the "private-address" directive in unbound.conf, Unbound can
> protect you against such DNS rebinding attacks.

fe80::/10 should be in there per default then as without scope (which
AAAA records do not carry) one cannot connect to them anyway.

> Could you elaborate on the significance of querying multicast addresses?

Unless one is trying to stuff a NS record pointing to mDNS (which won't
work globally and thus does not belong in a DNS AAAA record) it is
pretty futile.

Next to that there is a little bit of packet amplification, that
depending on the multicast-scope and router configuration can reach
quite far.

Like fe80::/10 not a useful thing to send packets too though, hence
should be considered unreachable per default.

Greets,
 Jeroen