search

jedisct1 / dnscrypt-server-docker

A Docker image for a non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS resolver
https://dnscrypt.info
ISC License
141 stars 22 forks source link

private addresses in unbound.conf #44

Closed mibere closed 4 years ago

mibere commented 4 years ago

Is it necessary or a good idea to add this to unbound.conf?

server:
  ...

  # Ensure privacy of local IP ranges
  private-address: 192.168.0.0/16
  private-address: 172.16.0.0/12
  private-address: 169.254.0.0/16
  private-address: 10.0.0.0/8
  private-address: fe80::/10
  private-address: fd00::/8
jedisct1 commented 4 years ago

I don't think this is a good idea. While having a dedicated, internal authoritative server and using split horizon is a good practice, it's not a requirement either, and such a change will break valid setups.

My own zones contain both private and public IPs, so that I can use any resolvers, both from the internal network and from a VPN.

People who really want to block this can do it in dnscrypt-proxy with the IP filter, but doing it on the resolver itself doesn't seem like a good idea.

mibere commented 4 years ago

Feel free to close it if there is nothing to do :)