On 25 Apr 2022, at 18:47, Paul Wouters <[email protected]> wrote: > On Apr 25, 2022, at 15:12, Fredrik Pettai via Unbound-users > <[email protected]> wrote: >> >> Hi, >> >> It was some years since this option was added (unbound 1.5.7 I think). >> As per the man page for unbound.conf: >> >> ...skipping... >> private-address: <IP address or subnet> >> Give IPv4 of IPv6 addresses or classless subnets. These are >> addresses on your private network, and are not allowed to be >> returned for public internet names. Any occurrence of such >> addresses are removed from DNS answers. > > >> >> Q: Are there any plans to update this and add the RFC1918 addresses >> as non-resolvable by default ? > > I hope not. I think that would lead to many unexpected failures. I think this > is an item that the DNS admin should enable if they are confident. > > Additionally, if using unbound on laptops and you getting on via hotspots > this would break badly.
After an internal discussion we came to a similar conclusion.
Perhaps the man-page should delete this sentence:
"We consider to enable this for the RFC1918
private IP address space by default in later releases"
…since it hasen’t happened in the last ~7 years now :)
We’re are using this:
do-not-query-address: <RFC1918-addresses>
Perhaps a new complimentary option to "do-not-query-localhost” would be useful.
(For example, a "do-not-query-rfc1918: yes/no” -option)
Thx,
/P
signature.asc
Description: Message signed with OpenPGP
