Hi! > On 03/10/2013 08:10 PM, Leen Besselink wrote: > > On Sun, Mar 10, 2013 at 02:15:10PM +0100, Jeremie Le Hen wrote: > > > > Maybe I'm mistaken, but I believe you might also need 1 of these > > ?: > > > > private-address: <IP address or subnet> Give IPv4 of IPv6 addresses > > or classless subnets. These are addresses on your private > > network, and are not allowed to be returned for public internet > > names. Any occurence of such addresses are removed from DNS > > answers. Additionally, the DNSSEC validator may mark the answers > > bogus. This protects against so-called DNS Rebinding, where a > > user browser is turned into a network proxy, allowing remote access > > through the browser to other parts of your private network. > > Some names can be allowed to contain your private addresses, by > > default all the local-data that you configured is allowed to, > > and you can specify addi- tional names using private-domain. No > > private addresses are enabled by default. We consider to enable > > this for the RFC1918 private IP address space by default in > > later releases. That would enable private addresses for > > 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 fd00::/8 and > > fe80::/10, since the RFC standards say these addresses should > > not be visible on the public internet. Turning on 127.0.0.0/8 > > would hinder many spam- blocklists as they use that. > > > > private-domain: <domain name> Allow this domain, and all its > > subdomains to contain private addresses. Give multiple times to > > allow multiple domain names to contain private addresses. Default > > is none.
If I understand correctly, I should not use private-address as they will remove any occurence of IP addresses fom my local network; also, it seems that private-domain only apply to forward zones as reverse zones do not return IP address, isnt'it? I tried both (independently) and it didn't work unfortunately. On Mon, Mar 11, 2013 at 09:05:41AM +0100, W.C.A. Wijngaards wrote: > > Change this line, I think, > local-zone: "1.168.192.in-addr.arpa." nodefault > into this > local-zone: "168.192.in-addr.arpa." nodefault Ok, indeed that works. Is it the expected behaviour, and if yes what is the rationale of this? I think we should be able to divide further RFC1918 reverse zones for convenience, unless there is a strong reason I don't understand to not do that; I mean I have the impression that unbound somewhat enforces the pre-CIDR behavior of these private networks. Cheers, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons. _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
