From 9aba6192e768e5929a96f35e856207364a03a590 Mon Sep 17 00:00:00 2001
From: Orazio <22700499+orazioedoardo@users.noreply.github.com>
Date: Wed, 4 Oct 2023 13:39:59 +0200
Subject: [PATCH] unbound: block dns rebinding

Blocking RFC 1918 addresses too is unlikely to be useful on your setup, but may be in case you add something like a VPC in the future.
---
 unbound.conf | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/unbound.conf b/unbound.conf
index b1b09d8..35bc6f8 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -14,6 +14,17 @@ server:
     outgoing-port-avoid: 8008 # synapse
     outgoing-port-avoid: 8080 # attestation
 
+    # Block DNS rebinding
+    private-address: 10.0.0.0/8
+    private-address: 172.16.0.0/12
+    private-address: 192.168.0.0/16
+    private-address: fd00::/8
+    private-address: 169.254.0.0/16
+    private-address: fe80::/10
+    private-address: 127.0.0.0/8
+    private-address: ::1/128
+    private-address: ::ffff:0:0/96
+
     # AF21
     ip-dscp: 18