-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
On 09/09/2014 11:57 PM, Jeroen Massar wrote: > On 2014-09-09 23:50, Yuri Schaeffer wrote: >> Hi Jeroen, >> >>> (Browsers going to connect to local sites (RFC1918/link-local >>> etc) is of course a scary thing when it a remote site >>> specifying some remotely controlled DNS server specifying those >>> local addresses, but that is a browser issue). >> >> Using the "private-address" directive in unbound.conf, Unbound >> can protect you against such DNS rebinding attacks. > > fe80::/10 should be in there per default then as without scope > (which AAAA records do not carry) one cannot connect to them > anyway. > >> Could you elaborate on the significance of querying multicast >> addresses? > > Unless one is trying to stuff a NS record pointing to mDNS (which > won't work globally and thus does not belong in a DNS AAAA record) > it is pretty futile. > > Next to that there is a little bit of packet amplification, that > depending on the multicast-scope and router configuration can > reach quite far. > > Like fe80::/10 not a useful thing to send packets too though, > hence should be considered unreachable per default. Yes that is true and multicast sends packets to too many destinations. But then when I look at IPv4 that means blocking a large block of address space where the RFC seems to talk about MBONE ... I am not sure if blocking that address space in default DNS resolver configuration is a good thing for IPv4 (future compatibility)? multicast: block ff00::/8 and 224.0.0.0/4 and 255.255.255.255/32. linkscope: block fe80::/10. (linkscope ipv4 seems to be 224.0.0.0/24, but that is part of the multicast IPv4 reservation). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUG97CAAoJEJ9vHC1+BF+N4/QP+gKAFYGsTeAR7EeWyUHCMTWR UQQYkBltnI8YeGYxlXRtJg4a2FOwFC0kQvSN6xc17aoeDkHsv/szaKX3tVZ8e42D cIBmG2R3fWBlHm2LxGYeRE8Z9ES6B7iD8Xiyv6ew6YC/H1gxtlsbQfw5WIqe2gtu 3ilVEvV9yyGRMJQk/Vn+LwjdSmJia1FssN03NBIM0lnSeAipRXvpY7sezP7Y7gpL POD8ERMrx6lnfTk3XPk1nrEVoacO+zpBqbhx53vjEZsFJPtoO39FOv/zvtA3W6vP QMRmAysQix3sYsgYA4QWpAo+j6GOEk1VbJBjOTJnOV7CmVx/nloxxQkKMuSlKNu0 LAySe4Z+ijNvpVJYBv2kxl09OH+/3zF8zZfYTJwyJxpqQntA72ZUMsMsWWr/WtPY 0kHireDNukQGjYJskuxGVpB2oFGhK4q0Fvdk+8OV7WK1L3L8Frj5PCtCO4ubyrmJ 6/v+MTpP0xpT2HN/fZeBWKaK0k0zr/50Or9iZzDoWwamSRID2KPO3DO0hUX33VPu sEd1BUkCVAC63CGxND5JdkQ+UyaBlv4F5XvNj58n+W0qxQlmvEvnzMYufvhZdHNt NRrhCQiWTS+C6EU5mTVr4OwLCfqx+lUewoa2iUpt56HSXuC0KWA7IGkdSwA/x6k0 Fjx2HqoBBS9ehVw6OGrE =CW3z -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
