diff options
author | des <des@FreeBSD.org> | 2014-07-18 11:32:44 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2014-07-18 11:32:44 +0000 |
commit | d96c67cabdd8553d6547ab549c8a31d73216ca58 (patch) | |
tree | be4bfe814455ceb6ca5c8d81a2b77a7723bacde0 /contrib/unbound/doc | |
parent | 4691d48742e02c973343f0e0b07fa08d0ae9a5a8 (diff) | |
download | FreeBSD-src-d96c67cabdd8553d6547ab549c8a31d73216ca58.zip FreeBSD-src-d96c67cabdd8553d6547ab549c8a31d73216ca58.tar.gz |
Import unblock-lan-zones feature backported from upstream svn trunk.
This is a partial fix for reverse lookups in RFC 1918 networks. With
this option enabled, unbound no longer ignores these queries; however,
it will still reject the answer it gets from the forwarder, because
the RFC 1918 reverse zones are signed.
Submitted by: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Diffstat (limited to 'contrib/unbound/doc')
-rw-r--r-- | contrib/unbound/doc/example.conf.in | 9 | ||||
-rw-r--r-- | contrib/unbound/doc/unbound.conf.5 | 11 | ||||
-rw-r--r-- | contrib/unbound/doc/unbound.conf.5.in | 11 |
3 files changed, 30 insertions, 1 deletions
diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in index c13fbae..9e91d1f 100644 --- a/contrib/unbound/doc/example.conf.in +++ b/contrib/unbound/doc/example.conf.in @@ -437,7 +437,14 @@ server: # the amount of memory to use for the negative cache (used for DLV). # plain value in bytes or you can append k, m or G. default is "1Mb". # neg-cache-size: 1m - + + # if unbound is running service for the local host then it is useful + # to perform lan-wide lookups to the upstream, and unblock the + # long list of local-zones above. If this unbound is a dns server + # for a network of computers, disabled is better and stops information + # leakage of local lan information. + # unblock-lan-zones: no + # By default, for a number of zones a small default 'nothing here' # reply is built-in. Query traffic is thus blocked. If you # wish to serve such zone you can unblock them by uncommenting one diff --git a/contrib/unbound/doc/unbound.conf.5 b/contrib/unbound/doc/unbound.conf.5 index 6a8d6a6..a106733 100644 --- a/contrib/unbound/doc/unbound.conf.5 +++ b/contrib/unbound/doc/unbound.conf.5 @@ -778,6 +778,17 @@ Number of bytes size of the aggressive negative cache. Default is 1 megabyte. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte). .TP +.B unblock\-lan\-zones: \fI<yesno> +Default is disabled. If enabled, then for private address space, +the reverse lookups are no longer filtered. This allows unbound when +running as dns service on a host where it provides service for that host, +to put out all of the queries for the 'lan' upstream. When enabled, +only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured +with default local zones. Disable the option when unbound is running +as a (DHCP-) DNS network resolver for a group of machines, where such +lookups should be filtered (RFC compliance), this also stops potential +data leakage about the local network to the upstream DNS servers. +.TP .B local\-zone: \fI<zone> <type> Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in index 75967e1..aadd0da 100644 --- a/contrib/unbound/doc/unbound.conf.5.in +++ b/contrib/unbound/doc/unbound.conf.5.in @@ -778,6 +778,17 @@ Number of bytes size of the aggressive negative cache. Default is 1 megabyte. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte). .TP +.B unblock\-lan\-zones: \fI<yesno> +Default is disabled. If enabled, then for private address space, +the reverse lookups are no longer filtered. This allows unbound when +running as dns service on a host where it provides service for that host, +to put out all of the queries for the 'lan' upstream. When enabled, +only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured +with default local zones. Disable the option when unbound is running +as a (DHCP-) DNS network resolver for a group of machines, where such +lookups should be filtered (RFC compliance), this also stops potential +data leakage about the local network to the upstream DNS servers. +.TP .B local\-zone: \fI<zone> <type> Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, |