From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 25 Jun 2019 12:50:49 +0000 (+0200)
Subject: - For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
X-Git-Tag: release-1.9.3rc1~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=da46ea24d5aaa1b0261348fb2cc8a1f463bbdce4;p=thirdparty%2Funbound.git

- For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
  when do-not-query-localhost is turned on, or at default on,
  unbound-checkconf prints a warning if it is found in forward-addr or
  stub-addr statements.
---

diff --git a/doc/Changelog b/doc/Changelog
index a5df4d555..c3fceb6ba 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,9 @@
+25 June 2019: Wouter
+	- For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
+	  when do-not-query-localhost is turned on, or at default on,
+	  unbound-checkconf prints a warning if it is found in forward-addr or
+	  stub-addr statements.
+
 24 June 2019: Wouter
 	- Fix memleak in unit test, reported from the clang 8.0 static analyzer.
 
diff --git a/smallapp/unbound-checkconf.c b/smallapp/unbound-checkconf.c
index 6b78216eb..ced35d695 100644
--- a/smallapp/unbound-checkconf.c
+++ b/smallapp/unbound-checkconf.c
@@ -146,6 +146,39 @@ check_mod(struct config_file* cfg, struct module_func_block* fb)
 	edns_known_options_delete(&env);
 }
 
+/** true is addr is a localhost address, 127.0.0.1 or ::1 (@port) */
+static int
+str_addr_is_localhost(const char* a)
+{
+	if(strncmp(a, "127.", 4) == 0) return 1;
+	if(strncmp(a, "::1", 3) == 0) return 1;
+	return 0;
+}
+
+/** check do-not-query-localhost */
+static void
+donotquerylocalhostcheck(struct config_file* cfg)
+{
+	if(cfg->donotquery_localhost) {
+		struct config_stub* p;
+		struct config_strlist* s;
+		for(p=cfg->forwards; p; p=p->next) {
+			for(s=p->addrs; s; s=s->next) {
+				if(str_addr_is_localhost(s->str)) {
+					fprintf(stderr, "unbound-checkconf: warning: forward-addr: '%s' is specified for forward-zone: '%s', but do-not-query-localhost: yes means that the address will not be used for lookups.\n", s->str, p->name);
+				}
+			}
+		}
+		for(p=cfg->stubs; p; p=p->next) {
+			for(s=p->addrs; s; s=s->next) {
+				if(str_addr_is_localhost(s->str)) {
+					fprintf(stderr, "unbound-checkconf: warning: stub-addr: '%s' is specified for stub-zone: '%s', but do-not-query-localhost: yes means that the address will not be used for lookups.\n", s->str, p->name);
+				}
+			}
+		}
+	}
+}
+
 /** check localzones */
 static void
 localzonechecks(struct config_file* cfg)
@@ -606,6 +639,7 @@ morechecks(struct config_file* cfg)
 				cfg->control_cert_file);
 	}
 
+	donotquerylocalhostcheck(cfg);
 	localzonechecks(cfg);
 	view_and_respipchecks(cfg);
 #ifdef CLIENT_SUBNET