Opting out of "DNS rebinding" IP blocking

[AndrewKvalheim]

I found it surprising that after setting all BLOCK_ options to off this server still blocks several IP ranges. It would be nice if there was an easy way to fully opt out so that tools like xip.io behave as expected.

Would you consider adding a BLOCK_DNS_REBINDING option, or at least moving that configuration into a blocks-dns-rebinding.conf for easier overriding?

[qdm12]

I've added an environment variable PRIVATE_ADDRESS that defaults to 127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:0:0/96 but you can now set it to what you want.

If it still does not work, I may be because the IP addresses are in the block lists. I am reworking the generation of these lists with a proper Go program, so you should be able to have a finer grain control over what to block soon as well.

[wei]

Thanks for the issue and response.

The blocks-malicious.conf still has all private-address listed which prevents unbound from returning those IPs.

/unbound $ cat blocks-malicious.conf | grep 10.0.0.0
private-address: 10.0.0.0/8

I'd love to use BLOCK_MALICIOUS=on, is there any updates on customizing the blocks-malicious list to exclude private-address?

[qdm12]

Private IPs shouldn't be in there. I'll adapt the program building the block lists to remove private IP addresses. I'll re-open the issue until it's done. Thanks for pointing this out.

[qdm12]

Hi @wei

There should not be any private IP addresses in the block lists anymore.

I triggered a build which should push the Docker images in a few minutes to Docker hub, simply docker pull qmcgaw/cloudflare-dns-server and restart the container 👍

For your information, files used in this Docker image (DNS cryptographic stuff and block lists) are in the files repository if you want to search through them easily. They are also updated automatically by updated I wrote.

Happy DNS-over-TLSing!

[wei]

@qdm12 It works great!! Thanks for the reply and quick action!