Bugzilla – Full Text Bug Listing
|Summary:||"private-address" does not handle IPv4-mapped IPv6 addresses in AAAA records|
|Product:||unbound||Reporter:||Jordan Milne <unbound>|
|Component:||server||Assignee:||unbound team <unbound-team>|
Description Jordan Milne 2015-10-22 17:09:27 CEST
Given a config like server: private-address: 192.168.0.0/16 unbound will drop A records containing "192.168.2.1", but will return AAAA records containing the IPv4-mapped "::ffff:192.168.2.1". For example: $ host router.saynotolinux.com 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: $ host routerv4mapped.saynotolinux.com 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: routerv4mapped.saynotolinux.com has IPv6 address ::ffff:192.168.2.1 Clients that support IPv4-mapped IPv6 addresses will take that address and connect directly to 192.168.2.1 over IPv4. As far as I can tell, none of the BSDs will connect to IPv4-mapped addresses by default, but I've confirmed that several Linux distros will. For workarounds, I've seen configs where people do private-address: ::ffff:0:0/96 which is the best approach IMO, but those are in the minority, so unbound should try to sanely deal with IPv4-mapped IPv6 addresses. For context, see http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009491.html for a similar issue in dnsmasq.
Comment 1 Wouter Wijngaards 2015-10-23 09:14:52 CEST
Hi Jordan, I documented this in the example config and the manual page for unbound.conf; suggesting the /96 block that you list as the correct fix. It is now listed with the other 10/8 and so on netblocks as a suggestion to block them. Best regards, Wouter