[Dnsmasq-discuss] dns-rebind - RFC 3330

Davy Stoffel davy.stoffel at conostix.com
Wed Jun 13 16:30:00 BST 2012


On 06/12/2012 04:29 PM, Simon Kelley wrote:
> On 12/06/12 11:14, Davy Stoffel wrote:
>> Hi,
>>
>> RFC 3330 defines some private ranges (like RFC 1918)
>> Dnsmasq should not return these ranges.
>>
>> For example, 192.0.2.0/24 (TEST-NET) is returned when dns-rebind is
>> enabled (v 2.55).
> 
> I think that 192.0.2.0/24 is the only extra one there that might fit,
> but does it really? DNS rebind attacks give access to internal
> addresses, but no sane network should be using the TEST-NET address
> internally. That's the equivalent of setting your internal domain to
> example.com.

Unfortunately, I saw some network (development environment) with this
range (192.0.2.0/24), maybe someone else ?

I know people should not use this subnet, but it is also subject to this
kind of attack.

> 
>>
>> I see anything in the changelog related to this or maybe is it planned
>> in future releases ?
> 
> 
> No current plans, but it could be added if a consensus appears that it's
> a good idea.
> 
> Opinions, anyone?
> 
> 
> Simon.
> 

As said by Nicholas, protect ipv6 "private" range will be great!

Davy.



More information about the Dnsmasq-discuss mailing list