[Dnsmasq-discuss] dns-rebind - RFC 3330
Nicholas Weaver
nweaver at gmail.com
Tue Jun 12 16:47:50 BST 2012
I'm assuming this can be disabled for using DNSMasq in a corporate environment, correct?
Assuming thats the case.
This looks good:
On Jun 12, 2012, at 8:26 AM, Simon Kelley wrote:
> 127.0.0.0/8 (loopback) (separately configured)
> 192.168.0.0/16 (private)
> 10.0.0.0/8 (private)
> 172.16.0.0/12 (private)
> 169.254.0.0/16 (zeroconf)
But i'd also considering adding in
239.255.255.250 (SSDP/UPnP mulitcast address)
(Yes, I'm paranoid. I don't think a DNS rebinding attack would work, but I'd rather not chance it...)
V6 needs some thought, too (and urgently, its starting to get turned on to residential customers):
These clearly need the same treatment for AAAA records:
FC00::/7 (Unique local unicast)
FE80::/10 (Link local unicast)
Should clearly be blocked, as being equivalent to the private addresses in IPv4.
Anything in the DNSMasq's instance's allocated subnet for IPv6 (specifically the NAT would be a juicy target for DNS rebinding) must be on the blocked list.
Possibly the multicast addresses defined for "all nodes" and for routers:
All Nodes Addresses: FF01:0:0:0:0:0:0:1
FF02:0:0:0:0:0:0:1
All Routers Addresses: FF01:0:0:0:0:0:0:2
FF02:0:0:0:0:0:0:2
FF05:0:0:0:0:0:0:2
More information about the Dnsmasq-discuss
mailing list