Unbound returns no result for public dns with private IP address ranges.

[jeremygaither]

Prior to 20.7, I was running Unbound, and it would properly resolve and return _public_ DNS entries that pointed to _private_ IP address ranges (in a 10.0.0.0/8 subnet). After upgrading to 20.7, public IPs resolve fine, but any dns entry containing an address in a private address space returns no result. It does _not_ return nxdomain, just an empty response.

[tong2x]

mine returns same ip that is a webserver that I dont why or how it was returned
but surfing is ok and pinging those domains return different ips
also using ubound on 20.7

> google.com
Server:  OPNsense.ong.net
Address:  192.168.15.1

Non-authoritative answer:
Name:    google.com.ong.net
Addresses:  2a07:7800::142
          185.151.30.142

yahoo.com
Server:  OPNsense.ong.net
Address:  192.168.15.1

Non-authoritative answer:
Name:    yahoo.com.ong.net
Addresses:  2a07:7800::142
          185.151.30.142

[staticznld]

What if you resolve google.com. ?
The trailing dot is maybe necessary.

[jeremygaither]

Let me explain better... for example, if I have two hostnames:

public.example.com A 1.1.1.1
private.example.com A 10.0.0.42

Unbound returns the proper response for public.example.com, but returns an _empty_ response for private.example.com.

[tong2x]

What if you resolve google.com. ?
The trailing dot is maybe necessary.

ok that did work in my case. was not doing it before, thank you

@jeremygaither
do you have an actual domain? we could test and replicate?
or is this your own private domain/ip?
was this manually added to ubound?

[Maurice]

@jeremygaither, it's a security feature (DNS rebinding prevention). And it's not new. This should have never worked. Are you sure it did in 20.1 without any kind of workaround?

Cheers

Maurice

[jeremygaither]

Yes, this worked on 20.1 without any workarounds.

I was looking for a non-prod example, but the domain

Code: [Select]

build.shipstation.com is in a 10.0.0.0/16 subnet, and the latest unbound on OPNsense returns an empty answer. Other entries in the domain, such as

Code: [Select]

ss.shipstation.com work fine via unbound.

I know mixing public and private entries on a zone is not a great practice, and hosting private entries on a public zone isn't either, but this mess has been in place for too many years to start changing...

Is there any way, via the interface, to disable rebinding protection, maybe for specific domains?

[Maurice]

Yes, this worked on 20.1 without any workarounds.

That's odd, 10.0.0.0/8 has been on the rebinding prevention list for many years.

Is there any way, via the interface, to disable rebinding protection, maybe for specific domains?

Globally: System / Settings / Administration / Disable DNS Rebinding Checks
For specific domains: Only by adding overrides to Unbound.

[nier]

(first post in this forum, new to opnsense, english is not my native language, please bare with me)

I'm having the same issue, using Unbound DNS and using my owned domain locally on LAN. The domain is in public hosted by a web service provider.

After updating to 20.7 i cannot do a nslookup for google.com it returns non-authoritative answer : google.com.[mydomain].se. This was working before update.
Works when using google.com. as suggested in this thread.

My case is not 100% perfect, I got the opnsense fw running friday the 21th and updated it to 20.7 yesterday. Been changing stuff both before and after. So I cannot actually say that I'm 100% certain that it's the upgrade that made this.

I actually ended up in this thread because of the IDS/IPS (ET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnel) rule alerted me of WAN IP looking for wdat.[mydomain].se. Since all wildcard domain requests ends up at the web service providers "this domain is parked..." page at port 80. I have no proxy enabled on the firewall. This I did not se before the upgrade.