[Dnsmasq-discuss] configurable stop-dns-rebind?
Simon Kelley
simon at thekelleys.org.uk
Sat May 15 21:05:53 BST 2010
clemens fischer wrote:
> Hi Simon, did you intend to send this privately? The dnsmasq list was
> not Cc'ed.
>
>> Simon Kelley:
>
>> clemens fischer wrote:
>>
>>> Simon Kelley wrote:
>>>> The fact that stop-dns-rebind blocks 127.0.0.0 is bit of a
>>>> coincidence, which comes from the fact that it uses the same
>>>> address-checking code as --bogus-priv. My understanding of the
>>>> rebind attack is that it can't be done via 127.0.0.1: That might
>>>> get you a backdoor into the machine running the program being
>>>> attacked, but nothing you can't get be using "localhost" to do the
>>>> same thing.
>>> Sorry, I don't understand that last sentence.
>> Javascript or whatever running on a browser may be able to make
>> connections to the same machine via 127.0.0.1 that would not pass
>> through a firewall. It's possible to do that by using the domain
>> "localhost" which always resolves to 127.0.0.1, it doesn't need a
>> special domain returning IP addresses to do it.
>>
>>> AFAIK the rebinding attack makes user programs act as proxies after an
>>> attackers domain suddenly resolved to a rfc1918 IP.
>> exactly, the proxies can be used to attack the machine they are
>> running on too.
>
> As a matter of fact, any program asking for an IP and getting one from
> the RFC1918 range could turn into a proxy. The users browser being the
> prime target for this attack. This is what I meant by "proxy".
>
>>>> I therefore propose to remove the rebind-domain-ok option, and
>>>> just change stop-dns-rebind to reject RFC1918 addresses, and not
>>>> 127.0.0.0/8
>>> But then what is rob supposed to do with his VPN's? He needs RFC1918
>>> IPs and cannot use stop-dns-rebind currently.
>
>> Good point, maybe both changes are needed?
>
> To me your changes from test25..test27 were quite adequate by using the
> bogus-priv checks. Rob said he wants his VPN remotes to resolve. I can
> imagine he just enters the remotes as rebind-domain-ok domains and be
> happy.
I think so too, but it doesn't fix my problem of the large-and-growing
list of possible RBL domains in spamassassin rules. To avoid having a
large number of domains in /etc/dnsmasq.conf, removing 127.0.0.0/8 from
the addresses banned by stop-dns-rebind works much better, and doesn't
remove any protection.
>
> BTW, I tested test27 and it's working perfectly. It's fast and the
> logging is much better for my purposes than anything bind or pdnsd give
> me.
Great. I've put up test28 which makes the 127.0.0.0/8 change, and also
allows
rebind-domain-ok=thekelleys.org.uk
without the '/' characters if only one domain is given. That will catch
people out otherwise.
>
>
> gruss, clemens
> regards, clemens
>
>
> PS: Since you sent a private mail, I don't feel authorized to Cc the
> list, but you can do this if you want.
I sent it privately by mistake, sorry: CC:ing the list this time.....
Cheers,
Simon.
>
More information about the Dnsmasq-discuss
mailing list