[Dnsmasq-discuss] dns-rebind - RFC 3330
davy.stoffel at conostix.com
Wed Jun 13 16:30:00 BST 2012
On 06/12/2012 04:29 PM, Simon Kelley wrote:
> On 12/06/12 11:14, Davy Stoffel wrote:
>> RFC 3330 defines some private ranges (like RFC 1918)
>> Dnsmasq should not return these ranges.
>> For example, 192.0.2.0/24 (TEST-NET) is returned when dns-rebind is
>> enabled (v 2.55).
> I think that 192.0.2.0/24 is the only extra one there that might fit,
> but does it really? DNS rebind attacks give access to internal
> addresses, but no sane network should be using the TEST-NET address
> internally. That's the equivalent of setting your internal domain to
Unfortunately, I saw some network (development environment) with this
range (192.0.2.0/24), maybe someone else ?
I know people should not use this subnet, but it is also subject to this
kind of attack.
>> I see anything in the changelog related to this or maybe is it planned
>> in future releases ?
> No current plans, but it could be added if a consensus appears that it's
> a good idea.
> Opinions, anyone?
As said by Nicholas, protect ipv6 "private" range will be great!
More information about the Dnsmasq-discuss