unbound: block dns rebinding

Blocking RFC 1918 addresses too is unlikely to be useful on your setup, but may be in case you add something like a VPC in the future.
2024-06-18 10:29:37 +00:00 · 2023-10-04 13:39:59 +02:00 · 2023-10-04 13:39:59 +02:00 · 9aba6192e7
commit 9aba6192e7
parent cb0007f816
1 changed files with 11 additions and 0 deletions
--- a/unbound.conf
+++ b/unbound.conf
@ -14,6 +14,17 @@ server:
    outgoing-port-avoid: 8008 # synapse
    outgoing-port-avoid: 8080 # attestation

+    # Block DNS rebinding
+    private-address: 10.0.0.0/8
+    private-address: 172.16.0.0/12
+    private-address: 192.168.0.0/16
+    private-address: fd00::/8
+    private-address: 169.254.0.0/16
+    private-address: fe80::/10
+    private-address: 127.0.0.0/8
+    private-address: ::1/128
+    private-address: ::ffff:0:0/96
+
    # AF21
    ip-dscp: 18