Import unblock-lan-zones feature backported from upstream svn trunk.

This is a partial fix for reverse lookups in RFC 1918 networks.  With
this option enabled, unbound no longer ignores these queries; however,
it will still reject the answer it gets from the forwarder, because
the RFC 1918 reverse zones are signed.

Submitted by:	"W.C.A. Wijngaards" <wouter@nlnetlabs.nl>

contrib/unbound/doc/example.conf.in

@@ -437,7 +437,14 @@ server:
 	# the amount of memory to use for the negative cache (used for DLV).
 	# plain value in bytes or you can append k, m or G. default is "1Mb". 
 	# neg-cache-size: 1m
-
+	
+	# if unbound is running service for the local host then it is useful
+	# to perform lan-wide lookups to the upstream, and unblock the
+	# long list of local-zones above.  If this unbound is a dns server
+	# for a network of computers, disabled is better and stops information
+	# leakage of local lan information.
+	# unblock-lan-zones: no
+	
 	# By default, for a number of zones a small default 'nothing here'
 	# reply is built-in.  Query traffic is thus blocked.  If you
 	# wish to serve such zone you can unblock them by uncommenting one

contrib/unbound/doc/unbound.conf.5

@@ -778,6 +778,17 @@ Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
 or gigabytes (1024*1024 bytes in a megabyte).
 .TP
+.B unblock\-lan\-zones: \fI<yesno>
+Default is disabled.  If enabled, then for private address space,
+the reverse lookups are no longer filtered.  This allows unbound when
+running as dns service on a host where it provides service for that host,
+to put out all of the queries for the 'lan' upstream.  When enabled,
+only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured
+with default local zones.  Disable the option when unbound is running
+as a (DHCP-) DNS network resolver for a group of machines, where such
+lookups should be filtered (RFC compliance), this also stops potential
+data leakage about the local network to the upstream DNS servers.
+.TP
 .B local\-zone: \fI<zone> <type>
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,

contrib/unbound/doc/unbound.conf.5.in

@@ -778,6 +778,17 @@ Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
 or gigabytes (1024*1024 bytes in a megabyte).
 .TP
+.B unblock\-lan\-zones: \fI<yesno>
+Default is disabled.  If enabled, then for private address space,
+the reverse lookups are no longer filtered.  This allows unbound when
+running as dns service on a host where it provides service for that host,
+to put out all of the queries for the 'lan' upstream.  When enabled,
+only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured
+with default local zones.  Disable the option when unbound is running
+as a (DHCP-) DNS network resolver for a group of machines, where such
+lookups should be filtered (RFC compliance), this also stops potential
+data leakage about the local network to the upstream DNS servers.
+.TP
 .B local\-zone: \fI<zone> <type>
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,

contrib/unbound/services/localzone.c

@@ -594,6 +594,8 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
 
 	/* this list of zones is from RFC 6303 */
 
+	/* block localhost level zones, first, later the LAN zones */
+
 	/* localhost. zone */
 	if(!lz_exists(zones, "localhost.") &&
 		!lz_nodefault(cfg, "localhost.")) {
@@ -650,6 +652,14 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
 		}
 		lock_rw_unlock(&z->lock);
 	}
+
+	/* if unblock lan-zones, then do not add the zones below.
+	 * we do add the zones above, about 127.0.0.1, because localhost is
+	 * not on the lan. */
+	if(cfg->unblock_lan_zones)
+		return 1;
+
+	/* block LAN level zones */
 	if (	!add_as112_default(zones, cfg, "10.in-addr.arpa.") ||
 		!add_as112_default(zones, cfg, "16.172.in-addr.arpa.") ||
 		!add_as112_default(zones, cfg, "17.172.in-addr.arpa.") ||

contrib/unbound/util/config_file.c

@@ -191,6 +191,7 @@ config_create(void)
 	cfg->local_zones = NULL;
 	cfg->local_zones_nodefault = NULL;
 	cfg->local_data = NULL;
+	cfg->unblock_lan_zones = 0;
 	cfg->python_script = NULL;
 	cfg->remote_control_enable = 0;
 	cfg->control_ifs = NULL;
@@ -414,6 +415,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("minimal-responses:", minimal_responses)
 	else S_YNO("rrset-roundrobin:", rrset_roundrobin)
 	else S_STRLIST("local-data:", local_data)
+	else S_YNO("unblock-lan-zones:", unblock_lan_zones)
 	else S_YNO("control-enable:", remote_control_enable)
 	else S_STRLIST("control-interface:", control_ifs)
 	else S_NUMBER_NONZERO("control-port:", control_port)
@@ -678,6 +680,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_UNS(opt, "val-override-date", val_date_override)
 	else O_YNO(opt, "minimal-responses", minimal_responses)
 	else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
+	else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
 	else O_DEC(opt, "max-udp-size", max_udp_size)
 	else O_STR(opt, "python-script", python_script)
 	else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)

contrib/unbound/util/config_file.h

@@ -273,6 +273,8 @@ struct config_file {
 	struct config_strlist* local_zones_nodefault;
 	/** local data RRs configged */
 	struct config_strlist* local_data;
+	/** unblock lan zones (reverse lookups for 10/8 and so on) */
+	int unblock_lan_zones;
 
 	/** remote control section. enable toggle. */
 	int remote_control_enable;

contrib/unbound/util/configlexer.lex

@@ -308,6 +308,7 @@ log-queries{COLON}		{ YDVAR(1, VAR_LOG_QUERIES) }
 local-zone{COLON}		{ YDVAR(2, VAR_LOCAL_ZONE) }
 local-data{COLON}		{ YDVAR(1, VAR_LOCAL_DATA) }
 local-data-ptr{COLON}		{ YDVAR(1, VAR_LOCAL_DATA_PTR) }
+unblock-lan-zones{COLON}	{ YDVAR(1, VAR_UNBLOCK_LAN_ZONES) }
 statistics-interval{COLON}	{ YDVAR(1, VAR_STATISTICS_INTERVAL) }
 statistics-cumulative{COLON}	{ YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
 extended-statistics{COLON}	{ YDVAR(1, VAR_EXTENDED_STATISTICS) }

contrib/unbound/util/configparser.h

@@ -128,6 +128,7 @@
 #define VAR_RRSET_ROUNDROBIN 384
 #define VAR_MAX_UDP_SIZE 385
 #define VAR_DELAY_CLOSE 386
+#define VAR_UNBLOCK_LAN_ZONES 387
 #ifdef YYSTYPE
 #undef  YYSTYPE_IS_DECLARED
 #define YYSTYPE_IS_DECLARED 1

contrib/unbound/util/configparser.y

@@ -105,7 +105,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
 %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
 %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
-%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
+%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UNBLOCK_LAN_ZONES
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -163,7 +163,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_log_queries | server_tcp_upstream | server_ssl_upstream |
 	server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
 	server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
-    server_so_reuseport | server_delay_close
+	server_so_reuseport | server_delay_close | server_unblock_lan_zones
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -678,6 +678,16 @@ server_delay_close: VAR_DELAY_CLOSE STRING_ARG
 		free($2);
 	}
 	;
+server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG
+	{
+		OUTYY(("P(server_unblock_lan_zones:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->unblock_lan_zones = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_rrset_cache_size: VAR_RRSET_CACHE_SIZE STRING_ARG
 	{
 		OUTYY(("P(server_rrset_cache_size:%s)\n", $2));