[Dnsmasq-discuss] configurable stop-dns-rebind?

clemens fischer ino-news at spotteswoode.dnsalias.org
Fri May 14 22:52:02 BST 2010


Simon Kelley wrote:

> The fact that stop-dns-rebind blocks 127.0.0.0 is bit of
> a coincidence, which comes from the fact that it uses the same
> address-checking code as --bogus-priv. My understanding of the rebind
> attack is that it can't be done via 127.0.0.1: That might get you
> a backdoor into the machine running the program being attacked, but
> nothing you can't get be using "localhost" to do the same thing.

Sorry, I don't understand that last sentence.

AFAIK the rebinding attack makes user programs act as proxies after an
attackers domain suddenly resolved to a rfc1918 IP.

> I therefore propose to remove the rebind-domain-ok option, and just
> change stop-dns-rebind to reject RFC1918 addresses, and not
> 127.0.0.0/8

But then what is rob supposed to do with his VPN's?  He needs RFC1918
IPs and cannot use stop-dns-rebind currently.


clemens




More information about the Dnsmasq-discuss mailing list