[Dnsmasq-discuss] --stop-dns-rebind throws out an entire response even when it contains valid (non-private) addresses

Simon Kelley simon at thekelleys.org.uk
Tue Aug 25 22:07:59 BST 2015


As far as I can remember, there are two reasons for  this behaviour.

1) Nobody really considered the alternative.

2) The alternative is really difficult to implement. Turning a DNS
answer into an empty answer basically involves truncating the packet:
selectively removing RRs is much harder.

Reason two has less force these days, as the problem had to be solved as
part of the DNSSEC effort. I'm guessing that the code which strips
RRSIGS from signed answers could be generalised to strip arbitrary A
records without too much trouble.

Simon.






On 23/08/15 18:22, Mark Mentovai wrote:
> Simon and friends,
> 
> I’ve found that dnsmasq (I’m using 2.73) with --stop-dns-rebind enabled
> discards an entire DNS response even when only one of the addresses that it
> contains would constitute a possible rebind attack. I would have expected
> it to only discard the invalid address.
> 
> I searched this mailing list and found that Leonid Isaev asked this
> question last year[1], but there were no responses.
> 
> I’m currently seeing this problem when attempting to resolve a name whose
> server almost definitely shouldn’t be responding with a private-use
> address. Rather than accepting the valid public address, dnsmasq discards
> both.
> 
> Here’s my query:
> 
> $ dig +nocmd +noquestion +nostats www.titantv.com. @8.8.8.8
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50293
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; ANSWER SECTION:
> www.titantv.com. 21151 IN A 66.43.219.201
> www.titantv.com. 451 IN A 192.168.10.173
> 
> But when I run the same query against dnsmasq, I get an empty answer:
> 
> $ dig +nocmd +noquestion +nostats www.titantv.com.
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39921
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> and dnsmasq logs:
> 
> Sun Aug 23 17:15:17 2015 daemon.warn dnsmasq[1524]: possible DNS-rebind
> attack detected: www.titantv.com
> 
> I expected dnsmasq to discard 192.168.10.173 but still respond with
> 66.43.219.201. Is its behavior intentional?
> 
> [1]
> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q3/008754.html
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list