New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unbound: restrict creation of PTR records for both the system domain and host overrides #5925
Conversation
fair enough but my main concern was core/src/etc/inc/plugins.inc.d/unbound.inc Line 473 in 2115c45
and core/src/etc/inc/plugins.inc.d/unbound.inc Line 483 in 2115c45
|
Also very relevant, I suppose the same logic makes the most sense here |
if ($interface === $interfaces[0] && !in_array($laddr, $ptr_records, true)) { | ||
$unbound_entries .= "local-data-ptr: \"{$laddr} {$config['system']['hostname']}.{$domain}\"\n"; | ||
$ptr_records[] = $laddr; | ||
} | ||
$unbound_entries .= "local-data: \"{$config['system']['hostname']}.{$domain} A {$laddr}\"\n"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should widen the conditional to guard A and AAAA as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should, but I'm not entirely sure if we can rely on the sorted list of interfaces and pick the first one. Shouldn't we at the very least determine if the picked interface is used for e.g. the webgui?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I've made e76f15c for you to make this easier, maybe even move it out of the interfaces loop.
I tend to agree, but the metrics for the web GUI are difficult (what interfaces does the user want to listen on and what sort of NAT is he doing to change it to something else). So what about trying to aim for the same logic as anti-lockout would? That's a little further but not too complicated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
…and host overrides (#5925) In order to prevent the unpredictable behaviour of random PTR records being returned, which is not explicitly prohibited in RFC1035, it is best to restrict the creation of PTR records from every single host and alias (except for wildcard entries, no PTR records are created here), to only non-alias overrides (edit: the exception here is an alias whose parent does not create a PTR record, a wildcard entry). We also further restrict it to unique IP addresses so there can be no confusion in how to maintain the entries within the running Unbound instance. Hopefully this can pave the way for adding PTR records as a separate type instead of generating them under the hood, as is done currently. This change should at least address inconsistencies regarding random PTR records being returned as mentioned in #5477 A slight refactor of the existing unbound code is also included here for code reduction purposes. (cherry picked from commit 92a5a22)
The last commit (547c8b1) broke the creation of ptr records for host overrides that are not aliases. No ptr records are generated at all for host entries even if the entry is not an alias and the ip address is not already referenced by another ptr record. The new condition in unbound.inc Rewriting the condition like this fixes this issue for me (note the negation '!' inserted): This results in
|
Tested and works for me, thanks. |
I'm still receiving warnings for "PTR record already exists". I see the fix above, but it looks like an update has been deployed. I'm running Unbound version 1.16.2 Was the fix for this issue merged to master on Aug 16th? Is there a way to tell which version of unbound master is on? |
@guttermonk Shouldn't matter what version of unbound is running, this is in OPNsense's code that generates the unbound config. Looking at master, I don't see the fix that @fpehla proposes above. See https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/unbound.inc#L573 |
Should this issue be flipped from Merged to Open for visibility? |
This is completely normal for setups where multiple hostnames/domain names point to the same IP address (like when using an alias), this is a warning for this very reason: it is nonsensical to have multiple PTR records all pointing to the same IP, the system will just return a random host/domain name. The warnings' verbosity might be up for discussion though.
@fpehla I don't think the negation is the solution here, it's a solution by chance since the equality comparison
Host overrides which do not have a hostname specified will still generate a PTR record, I can easily reproduce this on my end. I'll prepare a patch if you wish to test this. |
@swhite2 I I confirm that your patch works, all PTR records are generating correctly. Without the patch, the PTR records for the overwritten hosts did not generate. |
Thanks for the patch, this fixes the issue for me. PTR records are generated again for overrides. I was not sure if the negation I introduced was the correct fix or if it just solved the issue for me by chance and broke something for others. So thanks again for looking into this! |
In order to prevent unpredictable behaviour from something that is not explicitly prohibited in RFC1035, it is best to restrict the creation of PTR records from every single host and alias (except for wildcard entries, no PTR records are created here), to only non-alias overrides (edit: the exception here is an alias whose parent does not create a PTR record). We also further restrict it to unique IP addresses so there can be no confusion in how to maintain the entries within the running Unbound instance.
Hopefully this can pave the way for adding PTR records as a separate type instead of generating them under the hood, as is done currently.
This change should at least address inconsistencies regarding random PTR records being returned as mentioned in #5477