Private-address behaviour

Unbound
1

Greetings,

After configuring private-address (and private-domain) entries I was hoping that unbound would simply strip the private IP addresses from responses.
However in my testing (unbound 1.4.8 and previous versions) I’m seeing that the queries will SERVFAIL, also for domains whose NS records point to a name that resolves to a private address, for example:

private-address: 192.168.0.0/16
private-address: 127.0.0.1/8

$ dig smithfield.com @unbound

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22290

;; QUESTION SECTION:
;smithfield.com. IN A

;; Query time: 904 msec

$ dig @ns2.ndshq.com. smithfield.com

;; ANSWER SECTION:
smithfield.com. 38400 IN A 72.3.245.136

;; AUTHORITY SECTION:
smithfield.com. 38400 IN NS ns1.ndshq.com.
smithfield.com. 38400 IN NS ns2.ndshq.com.
smithfield.com. 38400 IN NS ns0.ndshq.com.

;; ADDITIONAL SECTION:
ns0.ndshq.com. 38400 IN A 192.168.6.11
ns1.ndshq.com. 38400 IN A 65.173.99.98
ns2.ndshq.com. 38400 IN A 173.50.95.13

$ dig mailfrom.com @unbound

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46581

;; QUESTION SECTION:
;mailfrom.com. IN A

;; Query time: 2442 msec

$ dig mailfrom.com @ns1.sedoparking.com.

;; ANSWER SECTION:
mailfrom.com. 86400 IN A 127.0.0.1

I’m wondering if this is expected behaviour? Should I be seeing SERVFAIL (note long query time) or NOERROR/NODATA with private data stripped?

Thanks very much :slight_smile:

2

Hi Jakub,

Greetings,

After configuring private-address (and private-domain) entries I was
hoping that unbound would simply strip the private IP addresses from
responses.
However in my testing (unbound 1.4.8 and previous versions) I'm seeing
that the queries will SERVFAIL, also for domains whose NS records point
to a name that resolves to a private address, for example:

Yes this is caused by line 648 of iterator/iter_scrub.c. This is
extra-paranoid, since it can also just strip off the offending record.

I'm wondering if this is expected behaviour? Should I be seeing SERVFAIL
(note long query time) or NOERROR/NODATA with private data stripped?

If you comment out that line you get the behaviour with NOERROR/NODATA
with private data stripped.

Best regards,
   Wouter

3

Thanks very much Wouter - works as you said :slight_smile:

Best regards,

4

-- Aaron

5

[Ignore my typo of a blank message sent to the list if you see it.]

Yes this is caused by line 648 of iterator/iter_scrub.c. This is
extra-paranoid, since it can also just strip off the offending record.

I ran into this too, and I had to disable private-address on user-facing
instances of unbound because there are apparently enough slightly broken
domains that list additional records of RFC1918 nameservers to be annoying.

Can removing this line of code be the default behavior? I suspect you
would take issue with asking that this turn into a config toggle, which I'd
also be fine with.

                                     -- Aaron

6

+1 for config option or stripping without servfail.

Paul

7

Hi,