[Dnsmasq-discuss] dns-rebind - RFC 3330

Nicholas Weaver nweaver at gmail.com
Tue Jun 12 16:47:50 BST 2012

I'm assuming this can be disabled for using DNSMasq in a corporate environment, correct?  

Assuming thats the case.

This looks good:

On Jun 12, 2012, at 8:26 AM, Simon Kelley wrote:
>    (loopback)  (separately configured)
> (private)
>     (private)
>  (private)
> (zeroconf)

But i'd also considering adding in (SSDP/UPnP mulitcast address)

(Yes, I'm paranoid.  I don't think a DNS rebinding attack would work, but I'd rather not chance it...)

V6 needs some thought, too (and urgently, its starting to get turned on to residential customers):

These clearly need the same treatment for AAAA records:

FC00::/7 (Unique local unicast)
FE80::/10 (Link local unicast)

Should clearly be blocked, as being equivalent to the private addresses in IPv4.

Anything in the DNSMasq's instance's allocated subnet for IPv6 (specifically the NAT would be a juicy target for DNS rebinding) must be on the blocked list.

Possibly the multicast addresses defined for "all nodes" and for routers:

      All Nodes Addresses:    FF01:0:0:0:0:0:0:1

      All Routers Addresses:   FF01:0:0:0:0:0:0:2

More information about the Dnsmasq-discuss mailing list