aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--config/unbound/unbound.inc28
-rw-r--r--config/unbound/unbound.xml7
2 files changed, 26 insertions, 9 deletions
diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc
index d044f739..7ba2c450 100644
--- a/config/unbound/unbound.inc
+++ b/config/unbound/unbound.inc
@@ -281,7 +281,6 @@ function unbound_resync_config() {
$host_entries = unbound_add_host_entries();
// Domain Overrides
- $private_domains = unbound_add_domain_overrides(true);
$domain_overrides = unbound_add_domain_overrides();
// Unbound Statistics
@@ -297,6 +296,24 @@ function unbound_resync_config() {
$cumulative_stats = "no";
$extended_stats = "no";
}
+
+ // Private-address support for DNS Rebinding
+ if($unbound_config['private_address'] == "on") {
+ $pvt_addr = <<<EOF
+# For DNS Rebinding prevention
+private-address: 10.0.0.0/8
+private-address: 172.16.0.0/12
+private-address: 192.168.0.0/16
+private-address: 192.254.0.0/16
+# private-address: fd00::/8
+# private-address: fe80::/10
+# Set private domains in case authorative name server returns a RFC1918 IP address
+EOF;
+
+ // Add private-domain options
+ $private_domains = unbound_add_domain_overrides(true);
+
+ }
// Set the number of threads equal to number of CPUs.
// Use 1 if for some reason this sysctl fails.
@@ -344,14 +361,7 @@ unwanted-reply-threshold: 10000000
# Networks allowed to utilize service
access-control: 127.0.0.0/8 allow
{$unbound_allowed_networks}
-# For DNS Rebinding prevention
-private-address: 10.0.0.0/8
-private-address: 172.16.0.0/12
-private-address: 192.168.0.0/16
-private-address: 192.254.0.0/16
-# private-address: fd00::/8
-# private-address: fe80::/10
-# Set private domains in case authorative name server returns a RFC1918 IP address
+{$pvt_addr}
{$private_domains}
# Host entries
diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml
index f7a851eb..43947698 100644
--- a/config/unbound/unbound.xml
+++ b/config/unbound/unbound.xml
@@ -118,6 +118,13 @@
<type>checkbox</type>
<default_value>on</default_value>
</field>
+ <field>
+ <fieldname>private_address</fieldname>
+ <fielddescr>Private Address support</fielddescr>
+ <description>With this option enabled &lt;a href="http://tools.ietf.org/html/rfc1918"&gt;RFC1918&lt;/a&gt; addresses are stripped away from DNS answers. Additionally, the DNSSEC validator may mark the answers bogus. This protects against &lt;a href="http://en.wikipedia.org/wiki/DNS_rebinding"&gt;DNS Rebinding&lt;/a&gt;. &lt;br/&gt; &lt;b&gt;Note:&lt;/b&gt; Domain Overrides and Host entries will be allowed to return answers if this option is enabled.</description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
<!--<field>
<fieldname>regdhcp</fieldname>
<fielddescr>Register DHCP leases</fielddescr>