[Dnsmasq-discuss] Update rebind attack protection to include IP6 delegation
Ziggy SpaceRat
Ziggy.SpaceRat at gmx.de
Sat Jan 27 22:28:27 GMT 2018
> Some circumstances may be vulnerable to DNS rebinding attacks
> against global IPv6 address. Through DHPCv6-PD the local network is
> a uniquely identifying global subnet. This makes DNS rebinding to a
> local machine on its global IPv6 as easy as traditional RFC1918. It
> would be a good idea to eliminate any local network IP (RFC1918 or
> otherwise) from global DNS responses.
I would consider that a BUG (Actually it does exist as bug ... in AVM
Fritz!Boxes).
Public IPs are public IPs are public IPs.
One of the benefits of IPv6 is, that everybody incl. normal private
users, can finally get *public* IPs for all devices.
This effectively removes the need to use different IPs (and sometimes
even ports) for access to the very same ressources, depending on if
you are at home/at your office or outside.
That means I can put up a web server on 2001:db8:dead::beef, create an
AAAA record for it and use that new host name from inside as well as
from the outside of my LAN.
No need to use 192.168.blah.blubb:80 from inside and bla.dyn.com:88
from the outside ....
So actually I want my hostnames to resolve anywhere, also at home.
--
Kind regards
Ziggy SpaceRat
More information about the Dnsmasq-discuss
mailing list