Bug 2977 - do-not-query-localhost should not apply to local configuration
do-not-query-localhost should not apply to local configuration
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
1.6.7
All All
: P5 minor
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-16 08:28 CET by Stéphane Bortzmeyer
Modified: 2017-11-16 09:25 CET (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stéphane Bortzmeyer 2017-11-16 08:28:01 CET
By default, Unbound does not query localhost, to avoid being attacked by responses like:

example.com. IN NS localhost.

But it applies as well to local configuration. If I write in the config file:

forward-zone:
name: "."
   forward-addr: ::1@8053

Unbound does not query localhost and cannot work anymore (always SERVFAIL). (And nothing is logged.) 

This can be disabled with 'do-not-query-localhost:  no' but it reopens the risk for the NS replies.

So, do-not-query-localhost should not apply to local configuration, only to NS answers.
Comment 1 Wouter Wijngaards 2017-11-16 09:25:11 CET
Hi Stephane,

That is an interesting idea.  In the code where that check happens, I don't see that origin of the IP address.  Also, the user could be surprised.  And I don't like that way of config.

You seem to have a different interpretation of what happens.  Documentation may help people get the same interpretation.  I think that is likely better.

NS localhost is not somehow worse than forward-addr.

The most salient different is actually the port number, the first is port 53 the other something else.  But I also don't want to complicate the do-not-query config with port numbers.  That could lead to inadvertent holes in the config as only one port is blocked, or stuff like that.

Best regards, Wouter