Services: Unbound DNS - remove 127/8 from private-address block when rebind protection is enabled as advised by unbound (https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#term-private-address-IP-address-or-subnet) and make the default items configurable via the advanced page. closes https://github.com/opnsense/core/issues/5871

2026-03-14 00:24:40 +00:00 · 2022-10-16 18:31:02 +02:00 · 2022-10-16 18:31:02 +02:00 · 3edd472aaa
commit 3edd472aaa
parent 926a4c8e68
3 changed files with 31 additions and 31 deletions
--- a/src/etc/inc/plugins.inc.d/unbound.inc
+++ b/src/etc/inc/plugins.inc.d/unbound.inc
@ -149,36 +149,14 @@ function unbound_generate_config()
        $module_config .= 'python iterator';
    }

+    $private_addr = "";
    if (!isset($config['system']['webgui']['nodnsrebindcheck'])) {
-        $private_addr = <<<EOF
-# For DNS Rebinding prevention
-#
-# All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
-#
-# IPv4 Addresses
-#
-private-address: 0.0.0.0/8       # Broadcast address
-private-address: 10.0.0.0/8
-private-address: 100.64.0.0/10
-private-address: 127.0.0.0/8     # Loopback Localhost
-private-address: 169.254.0.0/16
-private-address: 172.16.0.0/12
-private-address: 192.0.2.0/24    # Documentation network TEST-NET
-private-address: 192.168.0.0/16
-private-address: 198.18.0.0/15   # Used for testing inter-network communications
-private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
-private-address: 203.0.113.0/24  # Documentation network TEST-NET-3
-private-address: 233.252.0.0/24  # Documentation network MCAST-TEST-NET
-#
-# IPv6 Addresses
-#
-private-address: ::1/128         # Loopback Localhost
-private-address: 2001:db8::/32   # Documentation network IPv6
-private-address: fc00::/8        # Unique local address (ULA) part of "fc00::/7", not defined yet
-private-address: fd00::/8        # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
-private-address: fe80::/10       # Link-local address (LLA)
-
-EOF;
+        $advanced = config_read_array('OPNsense', 'unboundplus', 'advanced');
+        if (!empty($advanced) && !empty($advanced['privateaddress'])) {
+            foreach (explode(',', $advanced['privateaddress']) as $address) {
+                $private_addr .= "private-address: {$address}\n";
+            }
+        }
    }

    $bindints = '';
@ -314,7 +292,7 @@ module-config: "{$module_config}"
 {$bindints}
 {$outgoingints}

-# DNS Rebinding
+# Private networks for DNS Rebinding prevention (when enabled)
 {$private_addr}

 # Private domains (DNS Rebinding)
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
@ -159,6 +159,21 @@
            private addresses.
        </help>
    </field>
+    <field>
+        <id>unbound.advanced.privateaddress</id>
+        <label>Rebind protection networks</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>
+          These are addresses on your private network, and are not allowed to be returned for public internet names.
+          Any occurrence of such addresses are removed from DNS answers.
+          Additionally, the DNSSEC validator may mark the answers bogus.
+          This protects against so-called DNS Rebinding.
+
+          (Only applicable when DNS rebind check is enabled in System->Settings->Administration)
+        </help>
+    </field>
    <field>
        <id>unbound.advanced.insecuredomain</id>
        <label>Insecure Domains</label>
--- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
@ -1,7 +1,7 @@
 <model>
    <mount>//OPNsense/unboundplus</mount>
    <description>Unbound configuration</description>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
    <items>
        <service_enabled type="LegacyLinkField">
            <Source>unbound.enable</Source>
@ -64,6 +64,13 @@
            <privatedomain type="CSVListField">
                <Required>N</Required>
            </privatedomain>
+            <privateaddress type="NetworkField">
+                <Required>N</Required>
+                <FieldSeparator>,</FieldSeparator>
+                <WildcardEnabled>N</WildcardEnabled>
+                <default>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</default>
+                <asList>Y</asList>
+            </privateaddress>
            <insecuredomain type="CSVListField">
                <Required>N</Required>
            </insecuredomain>