diff options
| author | Phil Davis <phil.davis@inf.org> | 2014-11-16 14:58:42 +0545 |
|---|---|---|
| committer | Phil Davis <phil.davis@inf.org> | 2014-11-16 14:58:42 +0545 |
| commit | 984abd663d30f71a76aa1ae72c1e0832b564d11e (patch) | |
| tree | 3d5e25eb0c86bb4e1cb85c05351b428c7f2f34c2 /etc | |
| parent | 4e82cebf52022a4ab4ba3fe5ae6226fbf29864f1 (diff) | |
| download | pfsense-984abd663d30f71a76aa1ae72c1e0832b564d11e.zip pfsense-984abd663d30f71a76aa1ae72c1e0832b564d11e.tar.gz | |
Handle reverse-lookup zones for unbound
By default unbound returns nothing for private reverse lookups. Here is some information about that from https://www.unbound.net/documentation/unbound.conf.html
--------
The default zones are localhost, reverse 127.0.0.1 and ::1, and the
AS112 zones. The AS112 zones are reverse DNS zones for private use and
reserved IP addresses for which the servers on the internet cannot pro-
vide correct answers. They are configured by default to give nxdomain
(no reverse information) answers. The defaults can be turned off by
specifying your own local-zone of that name, or using the 'nodefault'
type. Below is a list of the default zone contents.
--------
Just specifying 'nodefault' did not work. I found other threads where people used this in unbound.conf
--------
local-zone: "49.10.in-addr.arpa" typetransparent
--------
Note that it works specifying the domain override with or without a final "." So the code here checks for the special cases of ".in-addr.arpa" and ".in-addr.arpa." at the end of a domain override name.
With this code my domain override entries for private reverse lookups work.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/unbound.inc | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/etc/inc/unbound.inc b/etc/inc/unbound.inc index d4991fd..3e53698 100644 --- a/etc/inc/unbound.inc +++ b/etc/inc/unbound.inc @@ -158,9 +158,12 @@ EOF; } // Allow DNS Rebind for forwarded domains - if ((isset($config['unbound']['domainoverrides']) && is_array($config['unbound']['domainoverrides'])) && !isset($config['system']['webgui']['nodnsrebindcheck'])) { - $private_domains = "# Set private domains in case authoritative name server returns a Private IP address\n"; - $private_domains .= unbound_add_domain_overrides(true); + if (isset($config['unbound']['domainoverrides']) && is_array($config['unbound']['domainoverrides'])) { + if (!isset($config['system']['webgui']['nodnsrebindcheck'])) { + $private_domains = "# Set private domains in case authoritative name server returns a Private IP address\n"; + $private_domains .= unbound_add_domain_overrides("private"); + } + $reverse_zones .= unbound_add_domain_overrides("reverse"); } // Configure static Host entries @@ -246,6 +249,7 @@ EOD; # Server configuration ## server: +{$reverse_zones} chroot: {$g['unbound_chroot_path']} username: "unbound" directory: "{$g['unbound_chroot_path']}" @@ -433,7 +437,7 @@ function do_as_unbound_user($cmd) { } } -function unbound_add_domain_overrides($pvt=false) { +function unbound_add_domain_overrides($pvt_rev="") { global $config, $g; $domains = $config['unbound']['domainoverrides']; @@ -450,9 +454,13 @@ function unbound_add_domain_overrides($pvt=false) { // Domain overrides that have multiple entries need multiple stub-addr: added $domain_entries = ""; foreach($result as $domain=>$ips) { - if ($pvt == true) { + if ($pvt_rev == "private") { $domain_entries .= "private-domain: \"$domain\"\n"; $domain_entries .= "domain-insecure: \"$domain\"\n"; + } else if ($pvt_rev == "reverse") { + if ((substr($domain,-14) == ".in-addr.arpa.") || (substr($domain,-13) == ".in-addr.arpa")) { + $domain_entries .= "local-zone: \"$domain\" typetransparent\n"; + } } else { $domain_entries .= "stub-zone:\n"; $domain_entries .= "\tname: \"$domain\"\n"; @@ -462,7 +470,7 @@ function unbound_add_domain_overrides($pvt=false) { } } - if ($pvt == true) + if ($pvt_rev == true) return $domain_entries; else file_put_contents("{$g['unbound_chroot_path']}/domainoverrides.conf", $domain_entries); |
