How to disable unbound scrubbing?

Started by defaultuserfoo, May 24, 2022, 06:59:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 24, 2022, 06:59:53 PM
Hi,

apparently unbound figures it's supposed to prevent answers to queries that ask for about host names which are in local zones of the name server unbound is configured to query.  That makes unbound mostly useless.

Imagine this situation:

The name server ns.example.com (192.168.0.53) is serving the domain example.com and is connected to the LAN interface.  OPNsense has the name gw0.example.com and the LAN interface has the address 192.168.0.1.

The system name server is 192.168.0.53, and unbound is configured to forward all queries to 192.168.0.53.

When a client asks for host.example.com, 192.168.0.53 will answer 192.168.0.100.  When that same client asks for the same host, 192.168.0.1 (i. e. unbound) will answer without an IP address given in the answer.

Obviously, that sucks.  There is something in the log output of unbound like


debug: sanitize: removing public name with private address <host.example.com.> 192.168.0.53#53


So I take it that unbound somehow alters the answers given by the name server.  That seems to be default behaviour.  What kind of bug is that, and how do I make it so that unbound answers the queries correctly?
May 24, 2022, 09:42:13 PM #1
That's probably the "local zone type" setting that needs to be adjusted here, see:
https://nlnetlabs.nl/documentation/unbound/unbound.conf/#local-zone

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 24, 2022, 10:26:10 PM #2
I thought so and tried different options, to no avail.  At least transparent and nodefault should work, but they don't.  It's like unbound does the query and then scrubs the result, and there's no option to turn that off.

Are we supposed to create networks without name resolution?
May 24, 2022, 11:32:09 PM #3
It's a general feature of consumer routers to filter DNS responses of external servers that point to internal addresses. There are attack techniques that use this.

I am not familiar with OPNsense and unbound in this regard, because I am running BIND.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 25, 2022, 12:59:55 AM #4
Quote from: pmhausen on May 24, 2022, 11:32:09 PM
It's a general feature of consumer routers to filter DNS responses of external servers that point to internal addresses. There are attack techniques that use this.

What would be attacked by that?

Quote
I am not familiar with OPNsense and unbound in this regard, because I am running BIND.

Same here ...  Unbind could be useful, though.  If it would only be configurable such that I can specify which upstream DNS servers to use per interface and/or if I could disable the scrubbing per interface ...  It's kinda nice when the gateway takes care of DNS without clients needing to go any further.  So far, I've never been happy with any such forwarder.
Print
Go Up Pages1
User actions