Bug 714 - "private-address" does not handle IPv4-mapped IPv6 addresses in AAAA records
"private-address" does not handle IPv4-mapped IPv6 addresses in AAAA records
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.5.3
x86_64 FreeBSD
: P5 normal
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-22 17:09 CEST by Jordan Milne
Modified: 2015-10-23 09:14 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jordan Milne 2015-10-22 17:09:27 CEST
Given a config like 

    server:
        private-address: 192.168.0.0/16

unbound will drop A records containing "192.168.2.1", but will return AAAA records containing the IPv4-mapped "::ffff:192.168.2.1". For example:

    $ host router.saynotolinux.com 127.0.0.1
    Using domain server:
    Name: 127.0.0.1
    Address: 127.0.0.1#53
    Aliases: 

    $ host routerv4mapped.saynotolinux.com 127.0.0.1
    Using domain server:
    Name: 127.0.0.1
    Address: 127.0.0.1#53
    Aliases: 
    
    routerv4mapped.saynotolinux.com has IPv6 address ::ffff:192.168.2.1

Clients that support IPv4-mapped IPv6 addresses will take that address and connect directly to 192.168.2.1 over IPv4. As far as I can tell, none of the BSDs will connect to IPv4-mapped addresses by default, but I've confirmed that several Linux distros will.

For workarounds, I've seen configs where people do

    private-address: ::ffff:0:0/96

which is the best approach IMO, but those are in the minority, so unbound should try to sanely deal with IPv4-mapped IPv6 addresses.

For context, see http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009491.html for a similar issue in dnsmasq.
Comment 1 Wouter Wijngaards 2015-10-23 09:14:52 CEST
Hi Jordan,

I documented this in the example config and the manual page for unbound.conf; suggesting the /96 block that you list as the correct fix.  It is now listed with the other 10/8 and so on netblocks as a suggestion to block them.

Best regards, Wouter