Hi,
I recently noticed, that I can send an arbitrary EDNS client subnet to my unbound instance, which unbound then uses instead of my DNS request's IP header address.
From my understanding of the code, around here https://github.com/NLnetLabs/unbound/blob/master/edns-subnet/subnetmod.c#L719 unbound only uses the DNS request's IP address ('query_reply.addr'), if no client subnet data is in the request.
I would have expected being able to harden unbound against this kind of spoofing, but there seems to be no config option.
Is this hardening something, that isn't expected to be done in unbound?
See also: https://github.com/NLnetLabs/unbound/issues/298
Thoughts appreciated.
Cheers
Andreas