Can't connect to Plex directly due to Unbound Topic is solved

Having issues with your DietPi installation or found a bug? Post it here.
User avatar
Joulinar
Posts: 4504
Joined: Sat Nov 16, 2019 12:49 am

Re: Can't connect to Plex directly due to Unbound

Post by Joulinar »

Hi,

I don't think it is working this way for the DNS request to return a local IP. This is the description for private-domain: value according unbound documentation https://nlnetlabs.nl/documentation/unbo ... ound.conf/

Code: Select all

       private-domain: <domain name>
              Allow this domain, and all its subdomains to contain private ad-
              dresses.   Give multiple times to allow multiple domain names to
              contain private addresses. Default is none.
For me it looks like it allows private address to be allowed only.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
MichaIng
Site Admin
Posts: 2917
Joined: Sat Nov 18, 2017 6:21 pm

Re: Can't connect to Plex directly due to Unbound

Post by MichaIng »

By default, Unbound, like most routers too, does not accept DNS responses from upstream providers to contain a private IP address of your local network. An upstream provider cannot or must not know any private IP valid in your network, of course. Many routers and Unbound drop such answers as a security measure, as it could be misused by an attacker, triggering connections from your system to other systems in your private network (while believing to connect to a public host) and gathering private data by this. This is called DNS rebinding protection.

I didn't fully understand how these secure Plex connections from their web app to your private Plex instance work, but they seem to require exactly that: A DNS response for plex.direct containing the IP of your private Plex instance while it actually is a public domain. They try to explain this behaviour, but as it is blocked by default by most DNS resolvers, I tend to call it bad design, relying on a method that is mostly seen as vulnerability, even if their particular implement it is not an actual security issue.

The private-domain setting now disables the DNS rebinding protection for this particular domain, similar to how one usually can add a particular domain to routers rebinding protection whitelists.
Post Reply