From: Wouter Wijngaards Date: Fri, 23 Oct 2015 07:13:45 +0000 (+0000) Subject: - Fix #714: Document config to block private-address for IPv4 X-Git-Tag: release-1.5.7rc1~57 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f24c3229eab6945cc9184958a83589f0a00bc7af;p=thirdparty%2Funbound.git - Fix #714: Document config to block private-address for IPv4 mapped IPv6 addresses. git-svn-id: file:///svn/unbound/trunk@3513 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 99a5d70c2..b6b8c3c4c 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +23 October 2015: Wouter + - Fix #714: Document config to block private-address for IPv4 + mapped IPv6 addresses. + 22 October 2015: Wouter - Fix #712: unbound-anchor appears to not fsync root.key. diff --git a/doc/example.conf.in b/doc/example.conf.in index a89b228db..29a2da75d 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -315,6 +315,7 @@ server: # private-address: 169.254.0.0/16 # private-address: fd00::/8 # private-address: fe80::/10 + # private-address: ::ffff:0:0/96 # Allow the domain (and its subdomains) to contain private addresses. # local-data statements are allowed to contain private addresses too. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 6b265db3e..d75e2b2a7 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -587,21 +587,22 @@ Can be given multiple times, for different domains. .TP .B private\-address: \fI Give IPv4 of IPv6 addresses or classless subnets. These are addresses -on your private network, and are not allowed to be returned for public -internet names. Any occurence of such addresses are removed from -DNS answers. Additionally, the DNSSEC validator may mark the answers -bogus. This protects against so\-called DNS Rebinding, where a user browser -is turned into a network proxy, allowing remote access through the browser -to other parts of your private network. Some names can be allowed to -contain your private addresses, by default all the \fBlocal\-data\fR -that you configured is allowed to, and you can specify additional -names using \fBprivate\-domain\fR. No private addresses are enabled -by default. We consider to enable this for the RFC1918 private IP -address space by default in later releases. That would enable private -addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 -fd00::/8 and fe80::/10, since the RFC standards say these addresses -should not be visible on the public internet. Turning on 127.0.0.0/8 -would hinder many spamblocklists as they use that. +on your private network, and are not allowed to be returned for +public internet names. Any occurence of such addresses are removed +from DNS answers. Additionally, the DNSSEC validator may mark the +answers bogus. This protects against so\-called DNS Rebinding, where +a user browser is turned into a network proxy, allowing remote access +through the browser to other parts of your private network. Some names +can be allowed to contain your private addresses, by default all the +\fBlocal\-data\fR that you configured is allowed to, and you can specify +additional names using \fBprivate\-domain\fR. No private addresses are +enabled by default. We consider to enable this for the RFC1918 private +IP address space by default in later releases. That would enable private +addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 +fd00::/8 and fe80::/10, since the RFC standards say these addresses +should not be visible on the public internet. Turning on 127.0.0.0/8 +would hinder many spamblocklists as they use that. Adding ::ffff:0:0/96 +stops IPv4-mapped IPv6 addresses from bypassing the filter. .TP .B private\-domain: \fI Allow this domain, and all its subdomains to contain private addresses.