[Dnsmasq-discuss] configurable stop-dns-rebind?

Simon Kelley simon at thekelleys.org.uk
Fri May 14 16:21:44 BST 2010


clemens fischer wrote:
> Simon Kelley wrote:
> 
>> I added the offending domain to the log message and turned it on on my
>> mail server box, which is running spamassasin. In addition to the three
>> you have, I've added
>>
>> rebind-domain-ok=/rfc-ignorant.org/
>> rebind-domain-ok=/sorbs.net/
>> rebind-domain-ok=/uribl.com/
>> rebind-domain-ok=/surbl.org/
>> rebind-domain-ok=/dnswl.org/
>> rebind-domain-ok=/njabl.org/
>>
>> and it seems to be quiet now.
> 

I did some more research on this, and found a couple of relevant facts.

1) Spamassasin can potentially contact _dozens_ of RBLs, look in
/usr/share/spamassassin/20_dnsbl_tests.cf to get some idea. Presumably
the set can expand as new SA tests are added. Keeping the list
up-to-date in dnsmasq may be a bit of a headache,

2)  There's an IETF draft on implementing these things, which implies
that the result of any A query to a RBl will be in 127.0.0.0/8

   There is no widely used convention for mapping sublist names to bits
   or values, beyond the convention that all A values SHOULD be in the
   127.0.0.0/8 range to prevent unwanted network traffic if the value is
   erroneously used as an IP address.


The fact that stop-dns-rebind blocks 127.0.0.0 is bit of a coincidence,
which comes from the fact that it uses the same address-checking code as
--bogus-priv. My understanding of the rebind attack is that it can't be
done via 127.0.0.1: That might get you a backdoor into the machine
running the program being attacked, but nothing you can't get be using
"localhost" to do the same thing.

I therefore propose to remove the rebind-domain-ok option, and just
change stop-dns-rebind to reject RFC1918 addresses, and not 127.0.0.0/8


Comments?


Cheers,

Simon.








More information about the Dnsmasq-discuss mailing list