[Dnsmasq-discuss] dns-rebind - RFC 3330

Davy Stoffel davy.stoffel at conostix.com
Wed Jun 13 16:30:00 BST 2012

On 06/12/2012 04:29 PM, Simon Kelley wrote:
> On 12/06/12 11:14, Davy Stoffel wrote:
>> Hi,
>> RFC 3330 defines some private ranges (like RFC 1918)
>> Dnsmasq should not return these ranges.
>> For example, (TEST-NET) is returned when dns-rebind is
>> enabled (v 2.55).
> I think that is the only extra one there that might fit,
> but does it really? DNS rebind attacks give access to internal
> addresses, but no sane network should be using the TEST-NET address
> internally. That's the equivalent of setting your internal domain to
> example.com.

Unfortunately, I saw some network (development environment) with this
range (, maybe someone else ?

I know people should not use this subnet, but it is also subject to this
kind of attack.

>> I see anything in the changelog related to this or maybe is it planned
>> in future releases ?
> No current plans, but it could be added if a consensus appears that it's
> a good idea.
> Opinions, anyone?
> Simon.

As said by Nicholas, protect ipv6 "private" range will be great!


More information about the Dnsmasq-discuss mailing list