[Dnsmasq-discuss] --stop-dns-rebind throws out an entire response even when it contains valid (non-private) addresses
mark at moxienet.com
Sun Aug 23 18:22:00 BST 2015
Simon and friends,
I’ve found that dnsmasq (I’m using 2.73) with --stop-dns-rebind enabled
discards an entire DNS response even when only one of the addresses that it
contains would constitute a possible rebind attack. I would have expected
it to only discard the invalid address.
I searched this mailing list and found that Leonid Isaev asked this
question last year, but there were no responses.
I’m currently seeing this problem when attempting to resolve a name whose
server almost definitely shouldn’t be responding with a private-use
address. Rather than accepting the valid public address, dnsmasq discards
Here’s my query:
$ dig +nocmd +noquestion +nostats www.titantv.com. @184.108.40.206
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50293
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; ANSWER SECTION:
www.titantv.com. 21151 IN A 220.127.116.11
www.titantv.com. 451 IN A 192.168.10.173
But when I run the same query against dnsmasq, I get an empty answer:
$ dig +nocmd +noquestion +nostats www.titantv.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39921
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
and dnsmasq logs:
Sun Aug 23 17:15:17 2015 daemon.warn dnsmasq: possible DNS-rebind
attack detected: www.titantv.com
I expected dnsmasq to discard 192.168.10.173 but still respond with
18.104.22.168. Is its behavior intentional?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dnsmasq-discuss