Having issues with your DietPi installation or found a bug? Post it here.
- Posts: 4504
- Joined: Sat Nov 16, 2019 12:49 am
I don't think it is working this way for the DNS request to return a local IP. This is the description for
documentation https://nlnetlabs.nl/documentation/unbo ... ound.conf/
Code: Select all
private-domain: <domain name>
Allow this domain, and all its subdomains to contain private ad-
dresses. Give multiple times to allow multiple domain names to
contain private addresses. Default is none.
For me it looks like it allows private address to be allowed only.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
- Site Admin
- Posts: 2917
- Joined: Sat Nov 18, 2017 6:21 pm
By default, Unbound, like most routers too, does not accept DNS responses from upstream providers to contain a private IP address of your local network. An upstream provider cannot or must not know any private IP valid in your network, of course. Many routers and Unbound drop such answers as a security measure, as it could be misused by an attacker, triggering connections from your system to other systems in your private network (while believing to connect to a public host) and gathering private data by this. This is called DNS rebinding protection.
I didn't fully understand how these secure Plex connections from their web app to your private Plex instance work, but they seem to require exactly that: A DNS response for
plex.direct containing the IP of your private Plex instance while it actually is a public domain. They try to explain this behaviour, but as it is blocked by default by most DNS resolvers, I tend to call it bad design, relying on a method that is mostly seen as vulnerability, even if their particular implement it is not an actual security issue.
private-domain setting now disables the DNS rebinding protection for this particular domain, similar to how one usually can add a particular domain to routers rebinding protection whitelists.