How to make Unbound block private IPs in resolved domains (DNS rebinding)

Question

I set up Unbound in my local network as a local DNS resolver. I noticed that it will not filter any private IP addresses in the resolved domains and forward any IP address that a domain resolves to.

In order to protect against DNS rebinding, I would like to make Unbound not return any private IP addresses from public domains to the clients, however I haven't found any information on that from the official documentation. Apparently dnsmasq does this protection by default.

score 5 · Accepted Answer · edited Jul 14 '20 at 11:53

5

That is called private-address: in Unbound. See this document and look for "private-address: "

edited Jul 14 '20 at 11:53

Matt

1,537
8
11

answered Jul 06 '17 at 19:12

Aaron

2,809
2
11
29

Don't know how I missed that. This solves my question, thanks! – comfreak Jul 06 '17 at 19:14
No problem. I miss things all the time :-) – Aaron Jul 06 '17 at 19:15
1

I would like to add that it is required to add the `private-address` option multiple times for multiple networks, as it is explained for `private-domain` right below. ;-) – comfreak Jul 06 '17 at 22:02

How to make Unbound block private IPs in resolved domains (DNS rebinding)

1 Answers1