Hacker News new | past | comments | ask | show | jobs | submit login

Certain recursive resolvers, like unbound, have protections you can enable that disallow remote hosts to return private address space.

xip.io is one of those services that doesn't work on my home network because I have unbound block all RFC1918 space.

        # Enforce privacy of these addresses. Strips them away from answers.
        # It may cause DNSSEC validation to additionally mark it as bogus.
        # Protects against 'DNS Rebinding' (uses browser as network proxy).
        # Only 'private-domain' and 'local-data' names are allowed to have
        # these private addresses. No default.
        private-address: 10.0.0.0/8
        private-address: 172.16.0.0/12
        private-address: 192.168.0.0/16
        private-address: 169.254.0.0/16
        private-address: fd00::/8
        private-address: fe80::/10
        private-address: 127.0.0.0/8



Looks like the directive for dnsmasq is stop-dns-rebind, for anyone wondering.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: