When we are talking to an upstream nameserver we should not refuse to

    forward queries for certain reverse zones (e.g. RFC1918 space). The
    local network might use them and it's the policy of the upstream
    nameserver what should be done with these.

    Of course if we are recursively resolving ourselves these should not
    leak to the global internet so we continue to synthesize NXDOMAIN
    ourselves.

    For now we also always synthesize NXDOMAIN for special use domains like
    test and onion.

    Pointed out by henning.
    Input & OK sthen

1 files changed, 121 insertions, 1 deletions

diff --git a/sbin/unwind/resolver.c b/sbin/unwind/resolver.c
index cec582de1b7..57c32fbfc75 100644
--- a/sbin/unwind/resolver.c
+++ b/sbin/unwind/resolver.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: resolver.c,v 1.51 2019/11/03 09:46:11 otto Exp $	*/
+/*	$OpenBSD: resolver.c,v 1.52 2019/11/03 18:15:26 florian Exp $	*/
 
 /*
  * Copyright (c) 2018 Florian Obser <florian@openbsd.org>
@@ -167,6 +167,104 @@ struct event_base		*ev_base;
 
 enum captive_portal_state	 captive_portal_state = PORTAL_UNCHECKED;
 
+static const char * const	 as112_zones[] = {
+	/* RFC1918 */
+	"10.in-addr.arpa. transparent",
+	"16.172.in-addr.arpa. transparent",
+	"31.172.in-addr.arpa. transparent",
+	"168.192.in-addr.arpa. transparent",
+
+	/* RFC3330 */
+	"0.in-addr.arpa. transparent",
+	"254.169.in-addr.arpa. transparent",
+	"2.0.192.in-addr.arpa. transparent",
+	"100.51.198.in-addr.arpa. transparent",
+	"113.0.203.in-addr.arpa. transparent",
+	"255.255.255.255.in-addr.arpa. transparent",
+
+	/* RFC6598 */
+	"64.100.in-addr.arpa. transparent",
+	"65.100.in-addr.arpa. transparent",
+	"66.100.in-addr.arpa. transparent",
+	"67.100.in-addr.arpa. transparent",
+	"68.100.in-addr.arpa. transparent",
+	"69.100.in-addr.arpa. transparent",
+	"70.100.in-addr.arpa. transparent",
+	"71.100.in-addr.arpa. transparent",
+	"72.100.in-addr.arpa. transparent",
+	"73.100.in-addr.arpa. transparent",
+	"74.100.in-addr.arpa. transparent",
+	"75.100.in-addr.arpa. transparent",
+	"76.100.in-addr.arpa. transparent",
+	"77.100.in-addr.arpa. transparent",
+	"78.100.in-addr.arpa. transparent",
+	"79.100.in-addr.arpa. transparent",
+	"80.100.in-addr.arpa. transparent",
+	"81.100.in-addr.arpa. transparent",
+	"82.100.in-addr.arpa. transparent",
+	"83.100.in-addr.arpa. transparent",
+	"84.100.in-addr.arpa. transparent",
+	"85.100.in-addr.arpa. transparent",
+	"86.100.in-addr.arpa. transparent",
+	"87.100.in-addr.arpa. transparent",
+	"88.100.in-addr.arpa. transparent",
+	"89.100.in-addr.arpa. transparent",
+	"90.100.in-addr.arpa. transparent",
+	"91.100.in-addr.arpa. transparent",
+	"92.100.in-addr.arpa. transparent",
+	"93.100.in-addr.arpa. transparent",
+	"94.100.in-addr.arpa. transparent",
+	"95.100.in-addr.arpa. transparent",
+	"96.100.in-addr.arpa. transparent",
+	"97.100.in-addr.arpa. transparent",
+	"98.100.in-addr.arpa. transparent",
+	"99.100.in-addr.arpa. transparent",
+	"100.100.in-addr.arpa. transparent",
+	"101.100.in-addr.arpa. transparent",
+	"102.100.in-addr.arpa. transparent",
+	"103.100.in-addr.arpa. transparent",
+	"104.100.in-addr.arpa. transparent",
+	"105.100.in-addr.arpa. transparent",
+	"106.100.in-addr.arpa. transparent",
+	"107.100.in-addr.arpa. transparent",
+	"108.100.in-addr.arpa. transparent",
+	"109.100.in-addr.arpa. transparent",
+	"110.100.in-addr.arpa. transparent",
+	"111.100.in-addr.arpa. transparent",
+	"112.100.in-addr.arpa. transparent",
+	"113.100.in-addr.arpa. transparent",
+	"114.100.in-addr.arpa. transparent",
+	"115.100.in-addr.arpa. transparent",
+	"116.100.in-addr.arpa. transparent",
+	"117.100.in-addr.arpa. transparent",
+	"118.100.in-addr.arpa. transparent",
+	"119.100.in-addr.arpa. transparent",
+	"120.100.in-addr.arpa. transparent",
+	"121.100.in-addr.arpa. transparent",
+	"122.100.in-addr.arpa. transparent",
+	"123.100.in-addr.arpa. transparent",
+	"124.100.in-addr.arpa. transparent",
+	"125.100.in-addr.arpa. transparent",
+	"126.100.in-addr.arpa. transparent",
+	"127.100.in-addr.arpa. transparent",
+
+	/* RFC4291 */
+	"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0."
+	"ip6.arpa. transparent",
+
+	/* RFC4193 */
+	"D.F.ip6.arpa. transparent",
+
+	/* RFC4291 */
+	"8.E.F.ip6.arpa. transparent",
+	"9.E.F.ip6.arpa. transparent",
+	"A.E.F.ip6.arpa. transparent",
+	"B.E.F.ip6.arpa. transparent",
+
+	/* RFC3849 */
+	"8.B.D.0.1.0.0.2.ip6.arpa. transparent"
+};
+
 void
 resolver_sig_handler(int sig, short event, void *arg)
 {
@@ -887,6 +985,7 @@ create_resolver(enum uw_resolver_type type, int oppdot)
 	struct uw_resolver	*res;
 	struct trust_anchor	*ta;
 	struct uw_forwarder	*uw_forwarder;
+	size_t			 i;
 	int			 err;
 	char			*resolv_conf = NULL, *tmp = NULL;
 
@@ -1019,6 +1118,27 @@ create_resolver(enum uw_resolver_type type, int oppdot)
 		break;
 	}
 
+	/* for the forwarder cases allow AS112 zones */
+	switch(res->type) {
+	case UW_RES_DHCP:
+	case UW_RES_FORWARDER:
+	case UW_RES_DOT:
+		for (i = 0; i < nitems(as112_zones); i++) {
+			log_debug("%s", as112_zones[i]);
+			if((err = ub_ctx_set_option(res->ctx, "local-zone:",
+			    as112_zones[i])) != 0) {
+				ub_ctx_delete(res->ctx);
+				free(res);
+				log_warnx("error setting local-zone: %s: %s",
+				    as112_zones[i], ub_strerror(err));
+				return (NULL);
+			}
+		}
+		break;
+	default:
+		break;
+	}
+
 	return (res);
 }