ansible_role_unbound/templates/snippets/private-addresses.conf

{{ ansible_managed | comment }}
server:
    # Give IPv4 of IPv6 addresses or classless subnets. These are addresses on your private network,
    # and are not allowed to be returned for public internet names.  Any occurrence of such addresses
    # are removed from DNS answers. Additionally, the  DNSSEC validator may mark the answers bogus.
    # This protects against so-called DNS Rebinding.

    # Legacy IP
{% if unbound__protect_rebind_localhost | bool %}
    # localhost
    private-address: 127.0.0.0/8
{% endif %}
{% if unbound__protect_rebind_rfc1918 | bool %}
    # private IPv4 address spaces (rfc 1918)
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
{% endif %}
{% if unbound__protect_rebind_carrier_grade_nat | bool %}
    # carrier-grade NAT (rfc 6598)
    private-address: 100.64.0.0/10
{% endif %}
{% if unbound__protect_rebind_v4_link_local | bool %}
    # link-local addresses
    private-address: 169.254.0.0/16
{% endif %}

    # IPv6
{% if unbound__protect_rebind_localhost | bool %}
    # localhost
    private-address: ::/128
{% endif %}
{% if unbound__protect_rebind_unique_local | bool %}
    # unique local addresses (rfc 4193)
    private-address: fd00::/8
{% endif %}
{% if unbound__protect_rebind_v6_link_local | bool %}
    # link-local addresses (rfc 4862, 4291)
    private-address: fe80::/10
{% endif %}
{% if unbound__protect_rebind_rfc4291 | bool %}
    # IPv4-mapped addresses (rfc 4291)
    private-address: ::ffff:0:0/96
{% endif %}