[Dnsmasq-discuss] configurable stop-dns-rebind?
clemens fischer
ino-news at spotteswoode.dnsalias.org
Fri May 14 22:52:02 BST 2010
Simon Kelley wrote:
> The fact that stop-dns-rebind blocks 127.0.0.0 is bit of
> a coincidence, which comes from the fact that it uses the same
> address-checking code as --bogus-priv. My understanding of the rebind
> attack is that it can't be done via 127.0.0.1: That might get you
> a backdoor into the machine running the program being attacked, but
> nothing you can't get be using "localhost" to do the same thing.
Sorry, I don't understand that last sentence.
AFAIK the rebinding attack makes user programs act as proxies after an
attackers domain suddenly resolved to a rfc1918 IP.
> I therefore propose to remove the rebind-domain-ok option, and just
> change stop-dns-rebind to reject RFC1918 addresses, and not
> 127.0.0.0/8
But then what is rob supposed to do with his VPN's? He needs RFC1918
IPs and cannot use stop-dns-rebind currently.
clemens
More information about the Dnsmasq-discuss
mailing list