You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I recently debugged some resolution failures that ended up being due to the wait-limit functionality that was recently introduced and enabled by default. In this particular case Unbound was listening on loopback and all queries to Unbound were originated from a loopback address.
RFC 1122 defines 127.0.0.0/8 addresses as being used for host loopback purposes and requires that 127.0.0.0/8 addresses "MUST NOT appear outside a host". In practice I believe many host kernel implementations, networking devices, and network operators do adhere to this requirement and filter 127.0.0.0/8 from appearing on real network interfaces.
I would suggest that 127.0.0.0/8 (and ::1) be exempt from the wait-limit, i.e. that the default behavior of Unbound should be equivalent to specifying something like the following in the config:
Logically, exempting these netblocks cannot possibly open up a vulnerability because, even if these addresses were used as spoofed victim source addresses and spoofed queries were somehow delivered over the Internet through an unbroken chain of network devices forwarding packets with a forbidden address in the IP header, received by a host running Unbound (and not filtered by the kernel) and actually processed by Unbound, the responses to the spoofed queries would be delivered to a loopback address and not actually go anywhere.
