[Dnsmasq-discuss] configurable stop-dns-rebind?

[Simon Kelley]

clemens fischer wrote:
> Hi Simon, did you intend to send this privately?  The dnsmasq list was
> not Cc'ed.
> 
>> Simon Kelley:
> 
>> clemens fischer wrote:
>>
>>> Simon Kelley wrote:
>>>> The fact that stop-dns-rebind blocks 127.0.0.0 is bit of a
>>>> coincidence, which comes from the fact that it uses the same
>>>> address-checking code as --bogus-priv. My understanding of the
>>>> rebind attack is that it can't be done via 127.0.0.1: That might
>>>> get you a backdoor into the machine running the program being
>>>> attacked, but nothing you can't get be using "localhost" to do the
>>>> same thing.
>>> Sorry, I don't understand that last sentence.
>> Javascript or whatever running on a browser may be able to make
>> connections to the same machine via 127.0.0.1 that would not  pass
>> through a firewall. It's possible to do that by using the domain
>> "localhost" which always resolves to 127.0.0.1, it doesn't need a
>> special domain returning IP addresses to do it.
>>
>>> AFAIK the rebinding attack makes user programs act as proxies after an
>>> attackers domain suddenly resolved to a rfc1918 IP.
>> exactly, the proxies can be used to attack the machine they are
>> running on too.
> 
> As a matter of fact, any program asking for an IP and getting one from
> the RFC1918 range could turn into a proxy.  The users browser being the
> prime target for this attack.  This is what I meant by "proxy".
> 
>>>> I therefore propose to remove the rebind-domain-ok option, and
>>>> just change stop-dns-rebind to reject RFC1918 addresses, and not
>>>> 127.0.0.0/8
>>> But then what is rob supposed to do with his VPN's?  He needs RFC1918
>>> IPs and cannot use stop-dns-rebind currently.
> 
>> Good point, maybe both changes are needed?
> 
> To me your changes from test25..test27 were quite adequate by using the
> bogus-priv checks.  Rob said he wants his VPN remotes to resolve.  I can
> imagine he just enters the remotes as rebind-domain-ok domains and be
> happy.

I think so too, but it doesn't fix my problem of the large-and-growing
list of possible RBL domains in spamassassin rules. To avoid having a
large number of domains in /etc/dnsmasq.conf, removing 127.0.0.0/8 from
the addresses banned by stop-dns-rebind works much better, and doesn't
remove any protection.

> 
> BTW, I tested test27 and it's working perfectly.  It's fast and the
> logging is much better for my purposes than anything bind or pdnsd give
> me.

Great. I've put up test28 which makes the 127.0.0.0/8 change, and also
allows

rebind-domain-ok=thekelleys.org.uk

without the '/' characters if only one domain is given. That will catch
people out otherwise.


> 
> 
> gruss, clemens
> regards, clemens
> 
> 
> PS:  Since you sent a private mail, I don't feel authorized to Cc the
> list, but you can do this if you want.

I sent it privately by mistake, sorry: CC:ing the list this time.....



Cheers,

Simon.

>