d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use the new insecure-lan-zones option instead of listing each AS112 zone

Browse Source 
separately.

MFC after:	3 days
This commit is contained in:
Dag-Erling Smørgrav 2016-02-11 17:37:02 +00:00
commit 0de4f1bf64
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=295535
15 changed files with 269 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
contrib/unbound/Makefile.in
View File

@ -95,7 +95,7 @@ PYUNBOUND_SRC=
# libunbound_wrap.lo if python libunbound wrapper enabled. # libunbound_wrap.lo if python libunbound wrapper enabled.
PYUNBOUND_OBJ=@PYUNBOUND_OBJ@ PYUNBOUND_OBJ=@PYUNBOUND_OBJ@
COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \ COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \
util/data/dname.c util/data/msgencode.c util/data/msgparse.c \ util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \ util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \
iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \ iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \
iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \ iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \
@ -113,7 +113,7 @@ validator/val_neg.c validator/val_nsec3.c validator/val_nsec.c \
validator/val_secalgo.c validator/val_sigcrypt.c \ validator/val_secalgo.c validator/val_sigcrypt.c \
validator/val_utils.c dns64/dns64.c $(CHECKLOCK_SRC) $(DNSTAP_SRC) validator/val_utils.c dns64/dns64.c $(CHECKLOCK_SRC) $(DNSTAP_SRC)
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \ COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \ as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \ iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo \ iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo \
outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \ outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
@ -595,6 +595,7 @@ depend:
rm -f $(DEPEND_TMP) $(DEPEND_TMP2) rm -f $(DEPEND_TMP) $(DEPEND_TMP2)
# Dependencies # Dependencies
as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h
dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
$(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \
@ -702,7 +703,7 @@ localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/serv
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/as112.h
mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \ $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
@ -821,7 +822,7 @@ val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/as112.h
validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \ validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \

6
contrib/unbound/doc/example.conf
View File

@ -508,13 +508,17 @@ server:
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
# if unbound is running service for the local host then it is useful # If unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the # to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server # long list of local-zones above. If this unbound is a dns server
# for a network of computers, disabled is better and stops information # for a network of computers, disabled is better and stops information
# leakage of local lan information. # leakage of local lan information.
# unblock-lan-zones: no # unblock-lan-zones: no
# The insecure-lan-zones option disables validation for
# these zones, as if they were all listed as domain-insecure.
# insecure-lan-zones: no
# a number of locally served zones can be configured. # a number of locally served zones can be configured.
# local-zone: <zone> <type> # local-zone: <zone> <type>
# local-data: "<resource record string>" # local-data: "<resource record string>"

6
contrib/unbound/doc/example.conf.in
View File

@ -508,13 +508,17 @@ server:
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
# if unbound is running service for the local host then it is useful # If unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the # to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server # long list of local-zones above. If this unbound is a dns server
# for a network of computers, disabled is better and stops information # for a network of computers, disabled is better and stops information
# leakage of local lan information. # leakage of local lan information.
# unblock-lan-zones: no # unblock-lan-zones: no
# The insecure-lan-zones option disables validation for
# these zones, as if they were all listed as domain-insecure.
# insecure-lan-zones: no
# a number of locally served zones can be configured. # a number of locally served zones can be configured.
# local-zone: <zone> <type> # local-zone: <zone> <type>
# local-data: "<resource record string>" # local-data: "<resource record string>"

5
contrib/unbound/doc/unbound.conf.5
View File

@ -841,6 +841,11 @@ as a (DHCP-) DNS network resolver for a group of machines, where such
lookups should be filtered (RFC compliance), this also stops potential lookups should be filtered (RFC compliance), this also stops potential
data leakage about the local network to the upstream DNS servers. data leakage about the local network to the upstream DNS servers.
.TP .TP
.B insecure\-lan\-zones: \fI<yesno>
Default is disabled. If enabled, then reverse lookups in private
address space are not validated. This is usually required whenever
\fIunblock\-lan\-zones\fR is used.
.TP
.B local\-zone: \fI<zone> <type> .B local\-zone: \fI<zone> <type>
Configure a local zone. The type determines the answer to give if Configure a local zone. The type determines the answer to give if
there is no match from local\-data. The types are deny, refuse, static, there is no match from local\-data. The types are deny, refuse, static,

5
contrib/unbound/doc/unbound.conf.5.in
View File

@ -841,6 +841,11 @@ as a (DHCP-) DNS network resolver for a group of machines, where such
lookups should be filtered (RFC compliance), this also stops potential lookups should be filtered (RFC compliance), this also stops potential
data leakage about the local network to the upstream DNS servers. data leakage about the local network to the upstream DNS servers.
.TP .TP
.B insecure\-lan\-zones: \fI<yesno>
Default is disabled. If enabled, then reverse lookups in private
address space are not validated. This is usually required whenever
\fIunblock\-lan\-zones\fR is used.
.TP
.B local\-zone: \fI<zone> <type> .B local\-zone: \fI<zone> <type>
Configure a local zone. The type determines the answer to give if Configure a local zone. The type determines the answer to give if
there is no match from local\-data. The types are deny, refuse, static, there is no match from local\-data. The types are deny, refuse, static,

114
contrib/unbound/services/localzone.c
View File

@ -51,6 +51,7 @@
#include "util/netevent.h" #include "util/netevent.h"
#include "util/data/msgreply.h" #include "util/data/msgreply.h"
#include "util/data/msgparse.h" #include "util/data/msgparse.h"
#include "util/as112.h"
struct local_zones* struct local_zones*
local_zones_create(void) local_zones_create(void)
@ -592,6 +593,7 @@ static int
lz_enter_defaults(struct local_zones* zones, struct config_file* cfg) lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
{ {
struct local_zone* z; struct local_zone* z;
const char** zstr;
/* this list of zones is from RFC 6303 */ /* this list of zones is from RFC 6303 */
@ -654,110 +656,14 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
lock_rw_unlock(&z->lock); lock_rw_unlock(&z->lock);
} }
/* if unblock lan-zones, then do not add the zones below. /* block AS112 zones, unless asked not to */
* we do add the zones above, about 127.0.0.1, because localhost is if(!cfg->unblock_lan_zones) {
* not on the lan. */ for(zstr = as112_zones; *zstr; zstr++) {
if(cfg->unblock_lan_zones) if(!add_as112_default(zones, cfg, *zstr)) {
return 1; log_err("out of memory adding default zone");
return 0;
/* block LAN level zones */ }
if ( !add_as112_default(zones, cfg, "10.in-addr.arpa.") || }
!add_as112_default(zones, cfg, "16.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "17.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "18.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "19.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "20.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "21.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "22.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "23.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "24.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "25.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "26.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "27.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "28.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "29.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "30.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "31.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "168.192.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "0.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "64.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "65.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "66.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "67.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "68.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "69.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "70.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "71.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "72.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "73.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "74.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "75.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "76.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "77.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "78.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "79.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "80.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "81.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "82.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "83.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "84.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "85.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "86.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "87.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "88.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "89.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "90.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "91.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "92.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "93.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "94.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "95.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "96.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "97.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "98.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "99.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "100.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "101.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "102.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "103.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "104.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "105.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "106.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "107.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "108.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "109.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "110.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "111.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "112.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "113.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "114.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "115.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "116.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "117.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "118.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "119.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "120.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "121.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "122.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "123.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "124.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "125.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "126.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "127.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "254.169.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "2.0.192.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "100.51.198.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "113.0.203.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "255.255.255.255.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.") ||
!add_as112_default(zones, cfg, "d.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, "8.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, "9.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, "a.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, "b.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, "8.b.d.0.1.0.0.2.ip6.arpa.")) {
log_err("out of memory adding default zone");
return 0;
} }
return 1; return 1;
} }

143
contrib/unbound/util/as112.c Normal file
View File

@ -0,0 +1,143 @@
/*
* util/as112.c - list of local zones.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
* This software is open source.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* \file
*
* This file provides a list of lan zones.
*/
#include "util/as112.h"
static const char* as112_zone_array[] = {
"10.in-addr.arpa.",
"16.172.in-addr.arpa.",
"17.172.in-addr.arpa.",
"18.172.in-addr.arpa.",
"19.172.in-addr.arpa.",
"20.172.in-addr.arpa.",
"21.172.in-addr.arpa.",
"22.172.in-addr.arpa.",
"23.172.in-addr.arpa.",
"24.172.in-addr.arpa.",
"25.172.in-addr.arpa.",
"26.172.in-addr.arpa.",
"27.172.in-addr.arpa.",
"28.172.in-addr.arpa.",
"29.172.in-addr.arpa.",
"30.172.in-addr.arpa.",
"31.172.in-addr.arpa.",
"168.192.in-addr.arpa.",
"0.in-addr.arpa.",
"64.100.in-addr.arpa.",
"65.100.in-addr.arpa.",
"66.100.in-addr.arpa.",
"67.100.in-addr.arpa.",
"68.100.in-addr.arpa.",
"69.100.in-addr.arpa.",
"70.100.in-addr.arpa.",
"71.100.in-addr.arpa.",
"72.100.in-addr.arpa.",
"73.100.in-addr.arpa.",
"74.100.in-addr.arpa.",
"75.100.in-addr.arpa.",
"76.100.in-addr.arpa.",
"77.100.in-addr.arpa.",
"78.100.in-addr.arpa.",
"79.100.in-addr.arpa.",
"80.100.in-addr.arpa.",
"81.100.in-addr.arpa.",
"82.100.in-addr.arpa.",
"83.100.in-addr.arpa.",
"84.100.in-addr.arpa.",
"85.100.in-addr.arpa.",
"86.100.in-addr.arpa.",
"87.100.in-addr.arpa.",
"88.100.in-addr.arpa.",
"89.100.in-addr.arpa.",
"90.100.in-addr.arpa.",
"91.100.in-addr.arpa.",
"92.100.in-addr.arpa.",
"93.100.in-addr.arpa.",
"94.100.in-addr.arpa.",
"95.100.in-addr.arpa.",
"96.100.in-addr.arpa.",
"97.100.in-addr.arpa.",
"98.100.in-addr.arpa.",
"99.100.in-addr.arpa.",
"100.100.in-addr.arpa.",
"101.100.in-addr.arpa.",
"102.100.in-addr.arpa.",
"103.100.in-addr.arpa.",
"104.100.in-addr.arpa.",
"105.100.in-addr.arpa.",
"106.100.in-addr.arpa.",
"107.100.in-addr.arpa.",
"108.100.in-addr.arpa.",
"109.100.in-addr.arpa.",
"110.100.in-addr.arpa.",
"111.100.in-addr.arpa.",
"112.100.in-addr.arpa.",
"113.100.in-addr.arpa.",
"114.100.in-addr.arpa.",
"115.100.in-addr.arpa.",
"116.100.in-addr.arpa.",
"117.100.in-addr.arpa.",
"118.100.in-addr.arpa.",
"119.100.in-addr.arpa.",
"120.100.in-addr.arpa.",
"121.100.in-addr.arpa.",
"122.100.in-addr.arpa.",
"123.100.in-addr.arpa.",
"124.100.in-addr.arpa.",
"125.100.in-addr.arpa.",
"126.100.in-addr.arpa.",
"127.100.in-addr.arpa.",
"254.169.in-addr.arpa.",
"2.0.192.in-addr.arpa.",
"100.51.198.in-addr.arpa.",
"113.0.203.in-addr.arpa.",
"255.255.255.255.in-addr.arpa.",
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.",
"d.f.ip6.arpa.",
"8.e.f.ip6.arpa.",
"9.e.f.ip6.arpa.",
"a.e.f.ip6.arpa.",
"b.e.f.ip6.arpa.",
"8.b.d.0.1.0.0.2.ip6.arpa.",
0
};
const char** as112_zones = as112_zone_array;

57
contrib/unbound/util/as112.h Normal file
View File

@ -0,0 +1,57 @@
/*
* util/as112.c - list of local zones.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
* This software is open source.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* \file
*
* This file provides a list of lan zones
*/
#ifndef UTIL_AS112_H
#define UTIL_AS112_H
/**
* Array of text-format domain names of the AS112 zones.
* The array ends with NULL. "AS112" is a service on the internet that
* that this array is named after. The names in this list (or some of them)
* are null-routed by this service to avoid load on central servers caused by
* mistaken lookups for local content on the global internet.
*
* This is the list of names that unbound should not normally be sending
* on towards the internet, because they are local-use.
*/
extern const char** as112_zones;
#endif

3
contrib/unbound/util/config_file.c
View File

@ -210,6 +210,7 @@ config_create(void)
cfg->local_zones_nodefault = NULL; cfg->local_zones_nodefault = NULL;
cfg->local_data = NULL; cfg->local_data = NULL;
cfg->unblock_lan_zones = 0; cfg->unblock_lan_zones = 0;
cfg->insecure_lan_zones = 0;
cfg->python_script = NULL; cfg->python_script = NULL;
cfg->remote_control_enable = 0; cfg->remote_control_enable = 0;
cfg->control_ifs = NULL; cfg->control_ifs = NULL;
@ -458,6 +459,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_YNO("rrset-roundrobin:", rrset_roundrobin) else S_YNO("rrset-roundrobin:", rrset_roundrobin)
else S_STRLIST("local-data:", local_data) else S_STRLIST("local-data:", local_data)
else S_YNO("unblock-lan-zones:", unblock_lan_zones) else S_YNO("unblock-lan-zones:", unblock_lan_zones)
else S_YNO("insecure-lan-zones:", insecure_lan_zones)
else S_YNO("control-enable:", remote_control_enable) else S_YNO("control-enable:", remote_control_enable)
else S_STRLIST("control-interface:", control_ifs) else S_STRLIST("control-interface:", control_ifs)
else S_NUMBER_NONZERO("control-port:", control_port) else S_NUMBER_NONZERO("control-port:", control_port)
@ -739,6 +741,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_YNO(opt, "minimal-responses", minimal_responses) else O_YNO(opt, "minimal-responses", minimal_responses)
else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin) else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones) else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
else O_DEC(opt, "max-udp-size", max_udp_size) else O_DEC(opt, "max-udp-size", max_udp_size)
else O_STR(opt, "python-script", python_script) else O_STR(opt, "python-script", python_script)
else O_DEC(opt, "ratelimit", ratelimit) else O_DEC(opt, "ratelimit", ratelimit)

4
contrib/unbound/util/config_file.h
View File

@ -285,8 +285,10 @@ struct config_file {
struct config_strlist* local_zones_nodefault; struct config_strlist* local_zones_nodefault;
/** local data RRs configured */ /** local data RRs configured */
struct config_strlist* local_data; struct config_strlist* local_data;
/** unblock lan zones (reverse lookups for 10/8 and so on) */ /** unblock lan zones (reverse lookups for AS112 zones) */
int unblock_lan_zones; int unblock_lan_zones;
/** insecure lan zones (don't validate AS112 zones) */
int insecure_lan_zones;
/** remote control section. enable toggle. */ /** remote control section. enable toggle. */
int remote_control_enable; int remote_control_enable;

1
contrib/unbound/util/configlexer.lex
View File

@ -321,6 +321,7 @@ local-zone{COLON} { YDVAR(2, VAR_LOCAL_ZONE) }
local-data{COLON} { YDVAR(1, VAR_LOCAL_DATA) } local-data{COLON} { YDVAR(1, VAR_LOCAL_DATA) }
local-data-ptr{COLON} { YDVAR(1, VAR_LOCAL_DATA_PTR) } local-data-ptr{COLON} { YDVAR(1, VAR_LOCAL_DATA_PTR) }
unblock-lan-zones{COLON} { YDVAR(1, VAR_UNBLOCK_LAN_ZONES) } unblock-lan-zones{COLON} { YDVAR(1, VAR_UNBLOCK_LAN_ZONES) }
insecure-lan-zones{COLON} { YDVAR(1, VAR_INSECURE_LAN_ZONES) }
statistics-interval{COLON} { YDVAR(1, VAR_STATISTICS_INTERVAL) } statistics-interval{COLON} { YDVAR(1, VAR_STATISTICS_INTERVAL) }
statistics-cumulative{COLON} { YDVAR(1, VAR_STATISTICS_CUMULATIVE) } statistics-cumulative{COLON} { YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
extended-statistics{COLON} { YDVAR(1, VAR_EXTENDED_STATISTICS) } extended-statistics{COLON} { YDVAR(1, VAR_EXTENDED_STATISTICS) }

16
contrib/unbound/util/configparser.y
View File

@ -106,7 +106,8 @@ extern struct config_parser_state* cfg_parser;
%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM %token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
%token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UNBLOCK_LAN_ZONES %token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
%token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
%token VAR_INFRA_CACHE_MIN_RTT %token VAR_INFRA_CACHE_MIN_RTT
%token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL %token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL
%token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH %token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH
@ -180,7 +181,8 @@ content_server: server_num_threads | server_verbosity | server_port |
server_log_queries | server_tcp_upstream | server_ssl_upstream | server_log_queries | server_tcp_upstream | server_ssl_upstream |
server_ssl_service_key | server_ssl_service_pem | server_ssl_port | server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
server_minimal_responses | server_rrset_roundrobin | server_max_udp_size | server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
server_so_reuseport | server_delay_close | server_unblock_lan_zones | server_so_reuseport | server_delay_close |
server_unblock_lan_zones | server_insecure_lan_zones |
server_dns64_prefix | server_dns64_synthall | server_dns64_prefix | server_dns64_synthall |
server_infra_cache_min_rtt | server_harden_algo_downgrade | server_infra_cache_min_rtt | server_harden_algo_downgrade |
server_ip_transparent | server_ratelimit | server_ratelimit_slabs | server_ip_transparent | server_ratelimit | server_ratelimit_slabs |
@ -722,6 +724,16 @@ server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG
free($2); free($2);
} }
; ;
server_insecure_lan_zones: VAR_INSECURE_LAN_ZONES STRING_ARG
{
OUTYY(("P(server_insecure_lan_zones:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->insecure_lan_zones =
(strcmp($2, "yes")==0);
free($2);
}
;
server_rrset_cache_size: VAR_RRSET_CACHE_SIZE STRING_ARG server_rrset_cache_size: VAR_RRSET_CACHE_SIZE STRING_ARG
{ {
OUTYY(("P(server_rrset_cache_size:%s)\n", $2)); OUTYY(("P(server_rrset_cache_size:%s)\n", $2));

11
contrib/unbound/validator/val_anchor.c
View File

@ -48,6 +48,7 @@
#include "util/log.h" #include "util/log.h"
#include "util/net_help.h" #include "util/net_help.h"
#include "util/config_file.h" #include "util/config_file.h"
#include "util/as112.h"
#include "sldns/sbuffer.h" #include "sldns/sbuffer.h"
#include "sldns/rrdef.h" #include "sldns/rrdef.h"
#include "sldns/str2wire.h" #include "sldns/str2wire.h"
@ -1044,8 +1045,18 @@ int
anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg) anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
{ {
struct config_strlist* f; struct config_strlist* f;
const char** zstr;
char* nm; char* nm;
sldns_buffer* parsebuf = sldns_buffer_new(65535); sldns_buffer* parsebuf = sldns_buffer_new(65535);
if(cfg->insecure_lan_zones) {
for(zstr = as112_zones; *zstr; zstr++) {
if(!anchor_insert_insecure(anchors, *zstr)) {
log_err("error in insecure-lan-zones: %s", *zstr);
sldns_buffer_free(parsebuf);
return 0;
}
}
}
for(f = cfg->domain_insecure; f; f = f->next) { for(f = cfg->domain_insecure; f; f = f->next) {
if(!f->str || f->str[0] == 0) /* empty "" */ if(!f->str || f->str[0] == 0) /* empty "" */
continue; continue;

2
lib/libunbound/Makefile
View File

@ -12,7 +12,7 @@ PRIVATELIB=
CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR} -I${.OBJDIR} CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR} -I${.OBJDIR}
SRCS= alloc.c autotrust.c config_file.c configlexer.l configparser.y \ SRCS= alloc.c as112.c autotrust.c config_file.c configlexer.l configparser.y \
context.c dname.c dns.c dns64.c dnstree.c fptr_wlist.c infra.c \ context.c dname.c dns.c dns64.c dnstree.c fptr_wlist.c infra.c \
iter_delegpt.c iter_donotq.c iter_fwd.c iter_hints.c iter_priv.c \ iter_delegpt.c iter_donotq.c iter_fwd.c iter_hints.c iter_priv.c \
iter_resptype.c iter_scrub.c iter_utils.c iterator.c keyraw.c \ iter_resptype.c iter_scrub.c iter_utils.c iterator.c keyraw.c \

26
usr.sbin/unbound/local-setup/local-unbound-setup.sh
View File

@ -210,31 +210,7 @@ gen_lanzones_conf() {
echo "server:" echo "server:"
echo " # Unblock reverse lookups for LAN addresses" echo " # Unblock reverse lookups for LAN addresses"
echo " unblock-lan-zones: yes" echo " unblock-lan-zones: yes"
echo " domain-insecure: 10.in-addr.arpa." echo " insecure-lan-zones: yes"
echo " domain-insecure: 127.in-addr.arpa."
echo " domain-insecure: 16.172.in-addr.arpa."
echo " domain-insecure: 17.172.in-addr.arpa."
echo " domain-insecure: 18.172.in-addr.arpa."
echo " domain-insecure: 19.172.in-addr.arpa."
echo " domain-insecure: 20.172.in-addr.arpa."
echo " domain-insecure: 21.172.in-addr.arpa."
echo " domain-insecure: 22.172.in-addr.arpa."
echo " domain-insecure: 23.172.in-addr.arpa."
echo " domain-insecure: 24.172.in-addr.arpa."
echo " domain-insecure: 25.172.in-addr.arpa."
echo " domain-insecure: 26.172.in-addr.arpa."
echo " domain-insecure: 27.172.in-addr.arpa."
echo " domain-insecure: 28.172.in-addr.arpa."
echo " domain-insecure: 29.172.in-addr.arpa."
echo " domain-insecure: 30.172.in-addr.arpa."
echo " domain-insecure: 31.172.in-addr.arpa."
echo " domain-insecure: 168.192.in-addr.arpa."
echo " domain-insecure: 254.169.in-addr.arpa."
echo " domain-insecure: d.f.ip6.arpa."
echo " domain-insecure: 8.e.ip6.arpa."
echo " domain-insecure: 9.e.ip6.arpa."
echo " domain-insecure: a.e.ip6.arpa."
echo " domain-insecure: b.e.ip6.arpa."
} }
# #