From 3edd472aaa007a9f080c3f9d863d4c774114f1b5 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 16 Oct 2022 18:31:02 +0200
Subject: [PATCH] Services: Unbound DNS - remove 127/8 from private-address
 block when rebind protection is enabled as advised by unbound
 (https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#term-private-address-IP-address-or-subnet)
 and make the default items configurable via the advanced page. closes
 https://github.com/opnsense/core/issues/5871

---
 src/etc/inc/plugins.inc.d/unbound.inc         | 38 ++++---------------
 .../OPNsense/Unbound/forms/advanced.xml       | 15 ++++++++
 .../app/models/OPNsense/Unbound/Unbound.xml   |  9 ++++-
 3 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/unbound.inc b/src/etc/inc/plugins.inc.d/unbound.inc
index 9dbdab3dc..92fd73dac 100644
--- a/src/etc/inc/plugins.inc.d/unbound.inc
+++ b/src/etc/inc/plugins.inc.d/unbound.inc
@@ -149,36 +149,14 @@ function unbound_generate_config()
         $module_config .= 'python iterator';
     }
 
+    $private_addr = "";
     if (!isset($config['system']['webgui']['nodnsrebindcheck'])) {
-        $private_addr = <<<EOF
-# For DNS Rebinding prevention
-#
-# All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
-#
-# IPv4 Addresses
-#
-private-address: 0.0.0.0/8       # Broadcast address
-private-address: 10.0.0.0/8
-private-address: 100.64.0.0/10
-private-address: 127.0.0.0/8     # Loopback Localhost
-private-address: 169.254.0.0/16
-private-address: 172.16.0.0/12
-private-address: 192.0.2.0/24    # Documentation network TEST-NET
-private-address: 192.168.0.0/16
-private-address: 198.18.0.0/15   # Used for testing inter-network communications
-private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
-private-address: 203.0.113.0/24  # Documentation network TEST-NET-3
-private-address: 233.252.0.0/24  # Documentation network MCAST-TEST-NET
-#
-# IPv6 Addresses
-#
-private-address: ::1/128         # Loopback Localhost
-private-address: 2001:db8::/32   # Documentation network IPv6
-private-address: fc00::/8        # Unique local address (ULA) part of "fc00::/7", not defined yet
-private-address: fd00::/8        # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
-private-address: fe80::/10       # Link-local address (LLA)
-
-EOF;
+        $advanced = config_read_array('OPNsense', 'unboundplus', 'advanced');
+        if (!empty($advanced) && !empty($advanced['privateaddress'])) {
+            foreach (explode(',', $advanced['privateaddress']) as $address) {
+                $private_addr .= "private-address: {$address}\n";
+            }
+        }
     }
 
     $bindints = '';
@@ -314,7 +292,7 @@ module-config: "{$module_config}"
 {$bindints}
 {$outgoingints}
 
-# DNS Rebinding
+# Private networks for DNS Rebinding prevention (when enabled)
 {$private_addr}
 
 # Private domains (DNS Rebinding)
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
index e040125f2..2494897af 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
@@ -159,6 +159,21 @@
             private addresses.
         </help>
     </field>
+    <field>
+        <id>unbound.advanced.privateaddress</id>
+        <label>Rebind protection networks</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>
+          These are addresses on your private network, and are not allowed to be returned for public internet names.
+          Any occurrence of such addresses are removed from DNS answers.
+          Additionally, the DNSSEC validator may mark the answers bogus.
+          This protects against so-called DNS Rebinding.
+
+          (Only applicable when DNS rebind check is enabled in System->Settings->Administration)
+        </help>
+    </field>
     <field>
         <id>unbound.advanced.insecuredomain</id>
         <label>Insecure Domains</label>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
index 489301594..56c2228cc 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/unboundplus</mount>
     <description>Unbound configuration</description>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
     <items>
         <service_enabled type="LegacyLinkField">
             <Source>unbound.enable</Source>
@@ -64,6 +64,13 @@
             <privatedomain type="CSVListField">
                 <Required>N</Required>
             </privatedomain>
+            <privateaddress type="NetworkField">
+                <Required>N</Required>
+                <FieldSeparator>,</FieldSeparator>
+                <WildcardEnabled>N</WildcardEnabled>
+                <default>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</default>
+                <asList>Y</asList>
+            </privateaddress>
             <insecuredomain type="CSVListField">
                 <Required>N</Required>
             </insecuredomain>