On 2014-09-09 23:50, Yuri Schaeffer wrote: > Hi Jeroen, > >> (Browsers going to connect to local sites (RFC1918/link-local etc) >> is of course a scary thing when it a remote site specifying some >> remotely controlled DNS server specifying those local addresses, >> but that is a browser issue). > > Using the "private-address" directive in unbound.conf, Unbound can > protect you against such DNS rebinding attacks.
fe80::/10 should be in there per default then as without scope (which AAAA records do not carry) one cannot connect to them anyway. > Could you elaborate on the significance of querying multicast addresses? Unless one is trying to stuff a NS record pointing to mDNS (which won't work globally and thus does not belong in a DNS AAAA record) it is pretty futile. Next to that there is a little bit of packet amplification, that depending on the multicast-scope and router configuration can reach quite far. Like fe80::/10 not a useful thing to send packets too though, hence should be considered unreachable per default. Greets, Jeroen _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
