[SOLVED] Updated "private addresses" using unbound (DNS resolver)

[Tikimotel]

Perhaps I'm a bit paranoid but I always update the unbound settings to include the non-internet-rout-able address space to be set as private addresses.
Maybe it is overzealous to think that (the mighty) PF and the bogon + bogonv6 rules will not protect you enough.

After each update I manually update "/usr/local/etc/inc/unbound.inc".
I  replace the default private-address rules with this setup (code blob below), this is based upon RFC standards for private address spaces.

Code: [Select]

# For DNS Rebinding prevention
#
# All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
#
# IPv4 Addresses
#
private-address: 0.0.0.0/8       # Broadcast address
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 127.0.0.0/8     # Loopback Localhost
private-address: 172.16.0.0/12
private-address: 192.0.0.0/24    # IANA IPv4 special purpose net
private-address: 192.0.2.0/24    # Documentation network TEST-NET
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: 198.18.0.0/15   # Used for testing inter-network communications
private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
private-address: 203.0.113.0/24  # Documentation network TEST-NET-3
private-address: 233.252.0.0/24  # Documentation network MCAST-TEST-NET
#
# IPv6 Addresses
#
private-address: ::1/128         # Loopback Localhost
private-address: 2001:db8::/32   # Documentation network IPv6
private-address: fc00::/8        # Unique local address (ULA) part of "fc00::/7", not defined yet
private-address: fd00::/8        # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
private-address: fe80::/10       # Link-local address (LLA)

EOF;
Afterwards I re-save (reload) DNS resolver settings and test with the DNSBench tool made available by Gibson research "https://www.grc.com/dns/benchmark.htm"
You (I) should see a fully filled outer circle in the DNSBench tool for my current DNS resolver.
You can comment out the localhost/loopback address (127.0.0.1) than you see a ¾ filled circle with DNSBench.

[franco]

I think we can hook this in if it isn't already dealt with some other way, or maybe it's just dnsmasq that does it via command line switch and the GUI option for rebind (which in on by default!). I'll report back soon.

[franco]

No objections from me, it's in: https://github.com/opnsense/core/commit/fd00370ab1830b1ea2d98f808f4b7386569feee5

Will likely hit the road with 15.7.15-devel and then 15.7.16, I want to keep it under a little bit more of observation. Many thanks!

[Tikimotel]

I created an github account and created a pull request, to fix a private address space type-o.
192.254 should have been 169.254.
Unbound now, can not resolve some legal dns names in the 192.254 range, whoops.

[franco]

All merged and queued up for 16.7.9, thanks again.