[Unbound-users] problem with NS editnew.net
leen at consolejunkie.net
Wed Jun 11 15:43:03 CEST 2014
On Wed, Jun 11, 2014 at 07:24:31AM -0600, Michael MacNeill wrote:
> Thank you Willem, unbound-host was extremely useful in tracking down
> this problem.
> my first test with it came up with the correct answer with no problem.
> unbound-host -d ns2.editnew.net
> I then figured out that I could use the same configuration as the daemon
> unbound-host -C unbound.conf -d ns2.editnew.net
> and it failed. so something in the config file.
> comment and retry until success.
> that is when I discovered my giant brain fart.
> When I set dns server up I grabbed a full featured config from somewhere.
> I'm not sure where I got it, but you can see it here:
> it includes the lines:
> # Enforce privacy of these addresses. Strips them away from answers.
> # It may cause DNSSEC validation to additionally mark it as bogus.
> # Protects against 'DNS Rebinding' (uses browser as network proxy).
> # Only 'private-domain' and 'local-data' names are allowed to have
> # these private addresses. No default.
> # private-address: 10.0.0.0/8
> # private-address: 172.16.0.0/12
> # private-address: 192.168.0.0/16
> # private-address: 188.8.131.52/16
> # private-address: fd00::/8
> # private-address: fe80::/10
> and I uncommented them all. Except that
> * # private-address: 184.108.40.206/16**
> ***is not a private address space. and is in fact part of the
> address space used by ns2.editnew.net
That is pretty scary, blocking large parts of the Internet.
That should have been:
Which is the IPv4 link-local address range.
> so using private-address is an effective way to black hole an IP
> address range.
> thanks for all the help.
> Unbound-users mailing list
> Unbound-users at unbound.net
More information about the Unbound-users