System 12.1-RELEASE. Guess this also affects other releases as well.
Dear network wizzards,
in the default configuration installed by local-unbound-setup, local-unbound(8) sends out DNS lookups for "private" networks (10.xxx/8, 192.168.xxx/16 etc.) out to the internet: the option is set to unblock-lan-zones=yes in the config file installed, whereas this setting defaults to "no" (RFC-compliant & safe).
Is this because the intended use of local-unbound(8) is to use it e.g. in a VPN setup?
Or is it assumed other settings should be adjusted accordingly, i.e. to set up internal and external interfaces?
I.e. it is assumed noone would ever start up local-unbound(8) with the shipped config unedited?
I posted this question in the forum, but did not get any reply, although it was read >100 times. Thus I'd consider this a bug. IMHO any automagic config shipped or created should comply to relevant RFCs. In rare cases this guideline may be violated if it's reasonable, but then it should be clearly documented, e.g. the user gets a big fat warning.
Another problem I had was devfs devices disappearing when I try to put local_unbound in a jail. But that's another topic.
Thx in advance, stay strong & healthy!