Strange UnBound DNS problem with web.impfnachweis.info

[juere]

I just stumbled across a strange DNS problem probably related to UnBound DNS.

A customer has to resolve web.impfnachweis.info, which is used by physicians in Germany to issue digital Covid19 vaccination certificates.

The address resolves fine using public DNS servers

Code: [Select]

me@laptop02 ~
$ host web.impfnachweis.info 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

web.impfnachweis.info has address 100.102.17.10

(same result for 1.1.1.1 and 9.9.9.9)

For some reasons it does not resolve using UnBound on OPNSense 21.1.6 (tested on three different gateways)

Code: [Select]

me@laptop02 ~
$ host web.impfnachweis.info 10.42.1.1
Using domain server:
Name: 10.42.1.1
Address: 10.42.1.1#53
Aliases:

whereas it does on UnBound still using OPNSense 21.1.2

Code: [Select]

me@laptop02 ~
$ host web.impfnachweis.info 10.70.71.254
Using domain server:
Name: 10.70.71.254
Address: 10.70.71.254#53
Aliases:

web.impfnachweis.info has address 100.102.17.10

So far I have tried to restart UnBound, disabled DNSSEC on the affected gateways and increased the Log Level with no effect and no further insight what is happening.
Upgrading one of the affected gateways to OPNSense 21.1.7_1 did also not solve the problem.

The problem can easily be solved by defining an override for impfnachweis.info pointing to a public DNS server, but I would be very interested in what is happening here.

Has anybody experienced this and can provide an explanation ?

[Pannacotta]

Hi

This is most likely caused by the DNS Rebinding Protection of Unbound that prevents DNS lookups that resolve to private IP Space.
While 100.102.17.10 is not "private" in the sense of RFC1918 100.64.0.0/12 is a special address range that is reserved for Carrier-grade NAT. see: https://en.wikipedia.org/wiki/Reserved_IP_addresses and https://datatracker.ietf.org/doc/html/rfc6890#section-2.2.2

If you want to configure unbound to allow it to show "private" IP responses for impfnachweis.info you can do so:
Services > Unbound DNS > General > Custom Options
Then add

Code: [Select]

server:
private-domain: impfnachweis.info
Hope this helps

EDIT: see the relevant code for unbound in opnsense: https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/unbound.inc

[juere]

That was quick and it does help 
Entering impfnachweis.info as private domain fixes the problem.

Just because I'm curious: Has the behaviour regarding the treatment of carrier grade NAT addresses in Unbound changed recently ?