Add DNS Rebinding check as checkbox. If any DNS answers return RFC1918 address the answer is stripped, unless the domain is configured in domainoverrides. With this option disabled all RFC1918 answers will be returned. Possibly need to break this and few other options into rowhelper type page...

1 files changed, 19 insertions, 9 deletions

diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc
index d044f739..7ba2c450 100644
--- a/config/unbound/unbound.inc
+++ b/config/unbound/unbound.inc
@@ -281,7 +281,6 @@ function unbound_resync_config() {
 	$host_entries = unbound_add_host_entries();
 	
 	// Domain Overrides
-	$private_domains = unbound_add_domain_overrides(true);
 	$domain_overrides = unbound_add_domain_overrides();
 	
 	// Unbound Statistics
@@ -297,6 +296,24 @@ function unbound_resync_config() {
 		$cumulative_stats = "no";
 		$extended_stats = "no";
 	}
+	
+	// Private-address support for DNS Rebinding
+	if($unbound_config['private_address'] == "on") {
+		$pvt_addr = <<<EOF
+# For DNS Rebinding prevention
+private-address: 10.0.0.0/8
+private-address: 172.16.0.0/12
+private-address: 192.168.0.0/16
+private-address: 192.254.0.0/16
+# private-address: fd00::/8
+# private-address: fe80::/10
+# Set private domains in case authorative name server returns a RFC1918 IP address
+EOF;
+
+	// Add private-domain options
+	$private_domains = unbound_add_domain_overrides(true);
+
+	}
 
 	// Set the number of threads equal to number of CPUs.
 	// Use 1 if for some reason this sysctl fails.
@@ -344,14 +361,7 @@ unwanted-reply-threshold: 10000000
 # Networks allowed to utilize service
 access-control: 127.0.0.0/8 allow
 {$unbound_allowed_networks}
-# For DNS Rebinding prevention
-private-address: 10.0.0.0/8
-private-address: 172.16.0.0/12
-private-address: 192.168.0.0/16
-private-address: 192.254.0.0/16
-# private-address: fd00::/8
-# private-address: fe80::/10
-# Set private domains in case authorative name server returns a RFC1918 IP address
+{$pvt_addr}
 {$private_domains}
 
 # Host entries