diff options
-rw-r--r-- | config/unbound/unbound.inc | 28 | ||||
-rw-r--r-- | config/unbound/unbound.xml | 7 |
2 files changed, 26 insertions, 9 deletions
diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index d044f739..7ba2c450 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -281,7 +281,6 @@ function unbound_resync_config() { $host_entries = unbound_add_host_entries(); // Domain Overrides - $private_domains = unbound_add_domain_overrides(true); $domain_overrides = unbound_add_domain_overrides(); // Unbound Statistics @@ -297,6 +296,24 @@ function unbound_resync_config() { $cumulative_stats = "no"; $extended_stats = "no"; } + + // Private-address support for DNS Rebinding + if($unbound_config['private_address'] == "on") { + $pvt_addr = <<<EOF +# For DNS Rebinding prevention +private-address: 10.0.0.0/8 +private-address: 172.16.0.0/12 +private-address: 192.168.0.0/16 +private-address: 192.254.0.0/16 +# private-address: fd00::/8 +# private-address: fe80::/10 +# Set private domains in case authorative name server returns a RFC1918 IP address +EOF; + + // Add private-domain options + $private_domains = unbound_add_domain_overrides(true); + + } // Set the number of threads equal to number of CPUs. // Use 1 if for some reason this sysctl fails. @@ -344,14 +361,7 @@ unwanted-reply-threshold: 10000000 # Networks allowed to utilize service access-control: 127.0.0.0/8 allow {$unbound_allowed_networks} -# For DNS Rebinding prevention -private-address: 10.0.0.0/8 -private-address: 172.16.0.0/12 -private-address: 192.168.0.0/16 -private-address: 192.254.0.0/16 -# private-address: fd00::/8 -# private-address: fe80::/10 -# Set private domains in case authorative name server returns a RFC1918 IP address +{$pvt_addr} {$private_domains} # Host entries diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml index f7a851eb..43947698 100644 --- a/config/unbound/unbound.xml +++ b/config/unbound/unbound.xml @@ -118,6 +118,13 @@ <type>checkbox</type> <default_value>on</default_value> </field> + <field> + <fieldname>private_address</fieldname> + <fielddescr>Private Address support</fielddescr> + <description>With this option enabled <a href="http://tools.ietf.org/html/rfc1918">RFC1918</a> addresses are stripped away from DNS answers. Additionally, the DNSSEC validator may mark the answers bogus. This protects against <a href="http://en.wikipedia.org/wiki/DNS_rebinding">DNS Rebinding</a>. <br/> <b>Note:</b> Domain Overrides and Host entries will be allowed to return answers if this option is enabled.</description> + <type>checkbox</type> + <default_value>on</default_value> + </field> <!--<field> <fieldname>regdhcp</fieldname> <fielddescr>Register DHCP leases</fielddescr> |