Bugzilla – Bug 2977
do-not-query-localhost should not apply to local configuration
Last modified: 2017-11-16 09:25:11 CET
By default, Unbound does not query localhost, to avoid being attacked by responses like: example.com. IN NS localhost. But it applies as well to local configuration. If I write in the config file: forward-zone: name: "." forward-addr: ::1@8053 Unbound does not query localhost and cannot work anymore (always SERVFAIL). (And nothing is logged.) This can be disabled with 'do-not-query-localhost: no' but it reopens the risk for the NS replies. So, do-not-query-localhost should not apply to local configuration, only to NS answers.
Hi Stephane, That is an interesting idea. In the code where that check happens, I don't see that origin of the IP address. Also, the user could be surprised. And I don't like that way of config. You seem to have a different interpretation of what happens. Documentation may help people get the same interpretation. I think that is likely better. NS localhost is not somehow worse than forward-addr. The most salient different is actually the port number, the first is port 53 the other something else. But I also don't want to complicate the do-not-query config with port numbers. That could lead to inadvertent holes in the config as only one port is blocked, or stuff like that. Best regards, Wouter