New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private Domains setting is hard to find under non-DNSBL use cases #5256
Comments
Yes, it needs to be moved. And no it won’t be done fast and easy because a lot of work is still needed to modernise the code base we inherited. I have this on my radar, but it’s a bigger issue than keeping track of when a single option is moved somewhere else regardless of if it’s properly documented or not. That’s another story. Cheers, |
No worries, thanks for the quick reply! |
For a bit more context where private-domain setting came from #5104 |
This issue has been automatically timed-out (after 180 days of inactivity). For more information about the policies for this repository, If someone wants to step up and work on this issue, |
Small addition to #6050: - Move private/insecure domains to advanced as its intended use has a larger scope than DNSBLs only. Fixes #5256 - Extends the migration to also include these domains. - leftover cleanup of legacy settings in migration. - Adds the `serve-expired-reply-ttl`, `serve-expired-ttl`, `serve-expired-ttl-reset`, `serve-expired-client-timeout` options. These options are hidden until the `serve-expired` checkbox is checked, and indented to signify a relationship. - Removes all dropdowns and instead provides numeric fields to input raw values for more control and less "guessing" of what is acceptable. - Removes default settings to prevent mismatches with upstream in the future. It's probably best to refer to the Unbound documentation in our own documentation. - Previously, `rrset-cache-size` and `outgoing-range` were implicitly set. These are now input fields. The migration code will take care of legacy setting assumptions. Fixes #5978 Fixes #5795
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe.
On my network, the search domains are home.daz.cat (containing private IPv4 addresses) followed by daz.cat (containing public addresses). For example, storage.home.daz.cat is 172.19.42.3, and storage.daz.cat is 2403:5800:c200:8600:5054:ff:fe01:4018.
But home.daz.cat is served publicly, which annoys unbound’s DNS rebinding prevention:
Describe solutions and alternatives
At first I thought the only solution was to add a domain override (Services > Unbound DNS > Overrides), which happens to add private-domain and domain-insecure in addition to the forward-zone, but eventually I found Blocklist > Private Domains. Thankfully the setting works regardless of whether DNSBL is enabled.
Given my use case, I think this is a confusing place to put the setting. What do you think about moving it to Advanced or similar, and updating the help text to be less “DNSBL only”?
Additional context
The text was updated successfully, but these errors were encountered: