Bugzilla – Bug 2977
do-not-query-localhost should not apply to local configuration
Last modified: 2017-11-16 09:25:11 CET
By default, Unbound does not query localhost, to avoid being attacked by responses like:
example.com. IN NS localhost.
But it applies as well to local configuration. If I write in the config file:
Unbound does not query localhost and cannot work anymore (always SERVFAIL). (And nothing is logged.)
This can be disabled with 'do-not-query-localhost: no' but it reopens the risk for the NS replies.
So, do-not-query-localhost should not apply to local configuration, only to NS answers.
That is an interesting idea. In the code where that check happens, I don't see that origin of the IP address. Also, the user could be surprised. And I don't like that way of config.
You seem to have a different interpretation of what happens. Documentation may help people get the same interpretation. I think that is likely better.
NS localhost is not somehow worse than forward-addr.
The most salient different is actually the port number, the first is port 53 the other something else. But I also don't want to complicate the do-not-query config with port numbers. That could lead to inadvertent holes in the config as only one port is blocked, or stuff like that.
Best regards, Wouter