[Dnsmasq-discuss] Update rebind attack protection to include IP6 delegation
Eric Luehrsen
ericluehrsen at gmail.com
Sat Jan 27 21:09:01 GMT 2018
This is a request for feature feasibility or acceptability.
Some circumstances may be vulnerable to DNS rebinding attacks against
global IPv6 address. Through DHPCv6-PD the local network is a uniquely
identifying global subnet. This makes DNS rebinding to a local machine
on its global IPv6 as easy as traditional RFC1918. It would be a good
idea to eliminate any local network IP (RFC1918 or otherwise) from
global DNS responses.
For dnsmasq, this could be implemented with a few options or option
variations. One option is to rebind protect range on all DHCP served
address, if outside of the normal local IPv4/6 ranges. Another option
would add the IPv4/6 discovered on an interface to the rebind protection
range. Granted few small installations (dnsmasq user base) have the cash
for a global IPv4, but maybe implement this generically for
completeness. This could either reuse the current option or create a new
option. The following is just a rough concept.
--stop-dns-rebind
without sub options, it takes its original actions
--stop-dns-rebind=dhcp,[tag],[tag],...
add DHCPv4/v6 address into the rebind protection range. Tag is optional
to include only include limited subnets, else all DHCP server ranges are
added.
--stop-dns-rebind=interface:name
uses the same method as the DHCPv6 construction to obtain the subnet
IPv6 prefix. May not work or be implemented for IPv4.
--stop-dns-rebind=address:ipv4/v6
just insert any address into the rebind protection range.
Notable use case: if you actually have outward facing servers such as
http or vpn, then they should probably be on a unique subnet DMZ. If
excluding those interfaces in the rebind protection (maybe =dhcp,[tag]),
or running a separate dnsmasq instance for the subnet, then such subnet
would resolve globally and locally without filtering.
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20180127/cbe042da/attachment.html>
More information about the Dnsmasq-discuss
mailing list