Maintained by: NLnet Labs

[Unbound-users] "outgoing tcp": connect failed due to link-local destinations (and other bogus addresses)

W.C.A. Wijngaards
Fri Sep 19 09:44:02 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 09/09/2014 11:57 PM, Jeroen Massar wrote:
> On 2014-09-09 23:50, Yuri Schaeffer wrote:
>> Hi Jeroen,
>> 
>>> (Browsers going to connect to local sites (RFC1918/link-local
>>> etc) is of course a scary thing when it a remote site
>>> specifying some remotely controlled DNS server specifying those
>>> local addresses, but that is a browser issue).
>> 
>> Using the "private-address" directive in unbound.conf, Unbound
>> can protect you against such DNS rebinding attacks.
> 
> fe80::/10 should be in there per default then as without scope
> (which AAAA records do not carry) one cannot connect to them
> anyway.
> 
>> Could you elaborate on the significance of querying multicast
>> addresses?
> 
> Unless one is trying to stuff a NS record pointing to mDNS (which
> won't work globally and thus does not belong in a DNS AAAA record)
> it is pretty futile.
> 
> Next to that there is a little bit of packet amplification, that 
> depending on the multicast-scope and router configuration can
> reach quite far.
> 
> Like fe80::/10 not a useful thing to send packets too though,
> hence should be considered unreachable per default.

Yes that is true and multicast sends packets to too many destinations.
 But then when I look at IPv4 that means blocking a large block of
address space where the RFC seems to talk about MBONE ... I am not
sure if blocking that address space in default DNS resolver
configuration is a good thing for IPv4 (future compatibility)?

multicast: block ff00::/8 and 224.0.0.0/4 and 255.255.255.255/32.
linkscope: block fe80::/10.
(linkscope ipv4 seems to be 224.0.0.0/24, but that is part of the
multicast IPv4 reservation).

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUG97CAAoJEJ9vHC1+BF+N4/QP+gKAFYGsTeAR7EeWyUHCMTWR
UQQYkBltnI8YeGYxlXRtJg4a2FOwFC0kQvSN6xc17aoeDkHsv/szaKX3tVZ8e42D
cIBmG2R3fWBlHm2LxGYeRE8Z9ES6B7iD8Xiyv6ew6YC/H1gxtlsbQfw5WIqe2gtu
3ilVEvV9yyGRMJQk/Vn+LwjdSmJia1FssN03NBIM0lnSeAipRXvpY7sezP7Y7gpL
POD8ERMrx6lnfTk3XPk1nrEVoacO+zpBqbhx53vjEZsFJPtoO39FOv/zvtA3W6vP
QMRmAysQix3sYsgYA4QWpAo+j6GOEk1VbJBjOTJnOV7CmVx/nloxxQkKMuSlKNu0
LAySe4Z+ijNvpVJYBv2kxl09OH+/3zF8zZfYTJwyJxpqQntA72ZUMsMsWWr/WtPY
0kHireDNukQGjYJskuxGVpB2oFGhK4q0Fvdk+8OV7WK1L3L8Frj5PCtCO4ubyrmJ
6/v+MTpP0xpT2HN/fZeBWKaK0k0zr/50Or9iZzDoWwamSRID2KPO3DO0hUX33VPu
sEd1BUkCVAC63CGxND5JdkQ+UyaBlv4F5XvNj58n+W0qxQlmvEvnzMYufvhZdHNt
NRrhCQiWTS+C6EU5mTVr4OwLCfqx+lUewoa2iUpt56HSXuC0KWA7IGkdSwA/x6k0
Fjx2HqoBBS9ehVw6OGrE
=CW3z
-----END PGP SIGNATURE-----