Bug 714

Summary: "private-address" does not handle IPv4-mapped IPv6 addresses in AAAA records
Product: unbound Reporter: Jordan Milne <unbound>
Component: serverAssignee: unbound team <unbound-team>
Status: RESOLVED FIXED    
Severity: normal CC: cathya, wouter
Priority: P5    
Version: 1.5.3   
Hardware: x86_64   
OS: FreeBSD   

Description Jordan Milne 2015-10-22 17:09:27 CEST
Given a config like 

    server:
        private-address: 192.168.0.0/16

unbound will drop A records containing "192.168.2.1", but will return AAAA records containing the IPv4-mapped "::ffff:192.168.2.1". For example:

    $ host router.saynotolinux.com 127.0.0.1
    Using domain server:
    Name: 127.0.0.1
    Address: 127.0.0.1#53
    Aliases: 

    $ host routerv4mapped.saynotolinux.com 127.0.0.1
    Using domain server:
    Name: 127.0.0.1
    Address: 127.0.0.1#53
    Aliases: 
    
    routerv4mapped.saynotolinux.com has IPv6 address ::ffff:192.168.2.1

Clients that support IPv4-mapped IPv6 addresses will take that address and connect directly to 192.168.2.1 over IPv4. As far as I can tell, none of the BSDs will connect to IPv4-mapped addresses by default, but I've confirmed that several Linux distros will.

For workarounds, I've seen configs where people do

    private-address: ::ffff:0:0/96

which is the best approach IMO, but those are in the minority, so unbound should try to sanely deal with IPv4-mapped IPv6 addresses.

For context, see http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009491.html for a similar issue in dnsmasq.
Comment 1 Wouter Wijngaards 2015-10-23 09:14:52 CEST
Hi Jordan,

I documented this in the example config and the manual page for unbound.conf; suggesting the /96 block that you list as the correct fix.  It is now listed with the other 10/8 and so on netblocks as a suggestion to block them.

Best regards, Wouter