Given this innocent /etc/resolv.conf: # Generated by resolvconf # nameserver 192.168.1.1 # nameserver 8.8.8.8 nameserver 127.0.0.1 options edns0 (the third line needs to be empty) ldns actually sends requests to google DNS. Stripped down example: cat >/etc/resolv.conf <<EOF # g # nameserver 8.8.8.8 EOF drill www.google.com host www.google.com (there is no resolver running on localhost) This problem can lead to information leakage and (which hit me) break our setup, where local_unbound is serving a private zone, but google was contacted instead. Filed upstream, more details (and suggested solutions) can be found here: https://github.com/NLnetLabs/ldns/issues/237 CCed des and emaste, as they did the last import of ldns in 13.3
This also affects 14.0-RELEASE, 14.1-BETA1 and CURRENT
There is an upstream fix available now (not merged yet): https://github.com/NLnetLabs/ldns/pull/238
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3b092e4936c433889cc668ea9563c8fd437d1a3e commit 3b092e4936c433889cc668ea9563c8fd437d1a3e Merge: 154ad8e0f88f 4891157c57cc Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2024-05-15 10:16:24 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2024-05-15 10:20:15 +0000 ldns: Ignore commented-out lines in resolv.conf. This merges upstream PR 238 + an additional bug fix. PR: 278721 MFC after: 1 week contrib/ldns/ldns/parse.h | 2 ++ contrib/ldns/parse.c | 35 +++++++++++++++++++++++++++---- contrib/ldns/resolver.c | 53 ++++++++--------------------------------------- 3 files changed, 42 insertions(+), 48 deletions(-)
Upstream merged the commit.