[Dnsmasq-discuss] dns-rebind - RFC 3330

Nicholas Weaver nweaver at gmail.com
Tue Jun 12 16:47:50 BST 2012


I'm assuming this can be disabled for using DNSMasq in a corporate environment, correct?  

Assuming thats the case.


This looks good:

On Jun 12, 2012, at 8:26 AM, Simon Kelley wrote:
> 127.0.0.0/8    (loopback)  (separately configured)
> 192.168.0.0/16 (private)
> 10.0.0.0/8     (private)
> 172.16.0.0/12  (private)
> 169.254.0.0/16 (zeroconf)

But i'd also considering adding in

239.255.255.250 (SSDP/UPnP mulitcast address)

(Yes, I'm paranoid.  I don't think a DNS rebinding attack would work, but I'd rather not chance it...)




V6 needs some thought, too (and urgently, its starting to get turned on to residential customers):

These clearly need the same treatment for AAAA records:

FC00::/7 (Unique local unicast)
FE80::/10 (Link local unicast)

Should clearly be blocked, as being equivalent to the private addresses in IPv4.


Anything in the DNSMasq's instance's allocated subnet for IPv6 (specifically the NAT would be a juicy target for DNS rebinding) must be on the blocked list.



Possibly the multicast addresses defined for "all nodes" and for routers:

      All Nodes Addresses:    FF01:0:0:0:0:0:0:1
                              FF02:0:0:0:0:0:0:1

      All Routers Addresses:   FF01:0:0:0:0:0:0:2
                               FF02:0:0:0:0:0:0:2
                               FF05:0:0:0:0:0:0:2


More information about the Dnsmasq-discuss mailing list