[Dnsmasq-discuss] dns-rebind - RFC 3330

Simon Kelley simon at thekelleys.org.uk
Tue Jun 12 16:26:22 BST 2012


On 12/06/12 15:33, Nicholas Weaver wrote:
> 
> On Jun 12, 2012, at 7:29 AM, Simon Kelley wrote:
> 
>> On 12/06/12 11:14, Davy Stoffel wrote:
>>> Hi,
>>>
>>> RFC 3330 defines some private ranges (like RFC 1918)
>>> Dnsmasq should not return these ranges.
>>>
>>> For example, 192.0.2.0/24 (TEST-NET) is returned when dns-rebind is
>>> enabled (v 2.55).
>>
>> I think that 192.0.2.0/24 is the only extra one there that might fit,
>> but does it really? DNS rebind attacks give access to internal
>> addresses, but no sane network should be using the TEST-NET address
>> internally. That's the equivalent of setting your internal domain to
>> example.com.
>>
>>>
>>> I see anything in the changelog related to this or maybe is it planned
>>> in future releases ?
>>
>>
>> No current plans, but it could be added if a consensus appears that it's
>> a good idea.
> 
> Whats the current ruleset?
> 
> 
> 

127.0.0.0/8    (loopback)  (separately configured)
192.168.0.0/16 (private)
10.0.0.0/8     (private)
172.16.0.0/12  (private)
169.254.0.0/16 (zeroconf)


Simon.





More information about the Dnsmasq-discuss mailing list