Correct, I have manually set up the DNS rebinding protection feature, to increase security.
Is there any way to rewrite all 127.0.0.0/8 responses to a custom IP? Suspect there is some rewrite module or similiar that can replace responses right? Mail server and LAN clients are behind the same firewall, thats why I need rebinding protection. Could move the mailserver off the LAN to a separate net, but requires pulling a long new patch cable. -----Ursprungligt meddelande----- Från: A.Schulze via Unbound-users <[email protected]> Skickat: den 19 november 2025 19:38 Till: [email protected] Ämne: Re: Sv: Sv: respond with fake IP for DNS rebinding hits? Am 19.11.25 um 18:29 schrieb Sebastian Nielsen via Unbound-users: > Here is a example: > goteborg.se > It has this weird "exists:%{i}.spf.hc2437-76.eu.iphmx.com" which for a valid > connection translates to 127.0.0.2 > > Try with for example, 23.90.102.86.spf.hc2437-76.eu.iphmx.com > > You can see here: > https://mxtoolbox.com/SuperTool.aspx?action=a%3a23.90.102.86.spf.hc2437-76.eu.iphmx.com&run=toolpage > This 127.0.0.2 gets caugt in the DNS rebinding filter, and then the SPF > validation fails. Now I understand your setup. man (5) unbound.conf say private-address: ... We consider to enable this for the RFC1918 private IP address space by default in later releases ... I assume, "private-address" setting is not set by default for good reasons and the unbound developer didn't changed that default till today. I see the value of rebind protection a systems, used by humans. But a mail server is an other use-case. One way to solve your issue is to run two resolver instances. One for servers and one for end-user systems, only the later configured with "private-address". Andreas
