On Wed, Jun 11, 2014 at 07:24:31AM -0600, Michael MacNeill wrote: > > Thank you Willem, unbound-host was extremely useful in tracking down > this problem. > > my first test with it came up with the correct answer with no problem. > unbound-host -d ns2.editnew.net > > I then figured out that I could use the same configuration as the daemon > unbound-host -C unbound.conf -d ns2.editnew.net > > and it failed. so something in the config file. > comment and retry until success. > that is when I discovered my giant brain fart. > > When I set dns server up I grabbed a full featured config from somewhere. > > I'm not sure where I got it, but you can see it here: > https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=143 > > it includes the lines: > # Enforce privacy of these addresses. Strips them away from answers. > # It may cause DNSSEC validation to additionally mark it as bogus. > # Protects against 'DNS Rebinding' (uses browser as network proxy). > # Only 'private-domain' and 'local-data' names are allowed to have > # these private addresses. No default. > # private-address: 10.0.0.0/8 > # private-address: 172.16.0.0/12 > # private-address: 192.168.0.0/16 > # private-address: 192.254.0.0/16 > # private-address: fd00::/8 > # private-address: fe80::/10 > > and I uncommented them all. Except that > * # private-address: 192.254.0.0/16** > ***is not a private address space. and is in fact part of the > address space used by ns2.editnew.net >
That is pretty scary, blocking large parts of the Internet. That should have been: 169.254.0.0/16 Which is the IPv4 link-local address range. > so using private-address is an effective way to black hole an IP > address range. > > thanks for all the help. > > MM > > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
