From: Wouter Wijngaards Date: Fri, 9 Nov 2007 14:15:21 +0000 (+0000) Subject: safer default interfaces. X-Git-Tag: release-0.6~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d41f40b02888c33792ff006a3745556237c6a66f;p=thirdparty%2Funbound.git safer default interfaces. git-svn-id: file:///svn/unbound/trunk@737 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index ee7c160b5..a1676d7dd 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -3,6 +3,7 @@ - default config file is /etc/unbound/unbound.conf. If it doesn't exist, it is installed with the doc/example.conf file. The file is not deleted on uninstall. + - default listening is not all, but localhost interfaces. 8 November 2007: Wouter - Fixup chroot and drop user privileges. diff --git a/doc/example.conf b/doc/example.conf index 1c9b8a4a1..b88a8d50a 100644 --- a/doc/example.conf +++ b/doc/example.conf @@ -19,7 +19,8 @@ server: # num-threads: 1 # specify the interfaces to answer queries from by ip-address. - # If you give none the default (all) interface is used. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface on a new 'interface:' labelled line. # interface: 192.0.2.153 # interface: 192.0.2.154 diff --git a/doc/unbound.conf.5 b/doc/unbound.conf.5 index c3e3f2a6e..fdb0cdbe9 100644 --- a/doc/unbound.conf.5 +++ b/doc/unbound.conf.5 @@ -78,7 +78,7 @@ The port number, default 53, on which the server responds to queries. Interface to use to connect to the network. This interface is listened to for queries from clients, and answers to clients are given from it. Can be given multiple times to work on several interfaces. If none are -given the default (all) is used. +given the default is to listen to localhost. .It \fBoutgoing-interface:\fR Interface to use to connect to the network. This interface is used to send queries to authoritative servers and receive their replies. Can be given @@ -87,8 +87,8 @@ default (all) is used. You can specify the same interfaces in .Ic interface: and .Ic outgoing-interface: -lines, the interfaces are then used for both purposes. Queries are sent -via a random interface to counter spoofing. +lines, the interfaces are then used for both purposes. Outgoing queries are +sent via a random outgoing interface to counter spoofing. .It \fBoutgoing-port:\fR The starting port number where the outgoing query port range is allocated. Default is 1053. diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c index 960a8f376..52ec206af 100644 --- a/services/listen_dnsport.c +++ b/services/listen_dnsport.c @@ -409,7 +409,7 @@ listening_ports_open(struct config_file* cfg) if(cfg->num_ifs == 0) { if(do_ip6) { hints.ai_family = AF_INET6; - if(!ports_create_if(NULL, cfg->do_udp, do_tcp, + if(!ports_create_if("::1", cfg->do_udp, do_tcp, &hints, portbuf, &list)) { listening_ports_free(list); return NULL; @@ -417,7 +417,7 @@ listening_ports_open(struct config_file* cfg) } if(do_ip4) { hints.ai_family = AF_INET; - if(!ports_create_if(NULL, cfg->do_udp, do_tcp, + if(!ports_create_if("127.0.0.1", cfg->do_udp, do_tcp, &hints, portbuf, &list)) { listening_ports_free(list); return NULL;