From 243947fc58ba5c33b2854b891517e3ff2e93dab9 Mon Sep 17 00:00:00 2001
From: Rob Gill <rrobgill@protonmail.com>
Date: Thu, 13 Mar 2025 12:53:23 +1000
Subject: [PATCH] Prevent reverse dns requests from non-routable zones.
 (RFC6303 4.2)

Additional DNS zones entered as private-address to align with RFC6303.

Signed-off-by: Rob Gill <rrobgill@protonmail.com>
---
 docs/guides/dns/unbound.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/guides/dns/unbound.md b/docs/guides/dns/unbound.md
index 7f222ee..12e7bd3 100644
--- a/docs/guides/dns/unbound.md
+++ b/docs/guides/dns/unbound.md
@@ -145,6 +145,13 @@ server:
     private-address: 10.0.0.0/8
     private-address: fd00::/8
     private-address: fe80::/10
+
+    # Ensure no reverse queries to non-public IP ranges (RFC6303 4.2)
+    private-address: 192.0.2.0/24
+    private-address: 198.51.100.0/24
+    private-address: 203.0.113.0/24
+    private-address: 255.255.255.255/32
+    private-address: 2001:db8::/32
 ```
 
 Start your local recursive server and test that it's operational: