[Dnsmasq-discuss] dns-rebind - RFC 3330
Davy Stoffel
davy.stoffel at conostix.com
Wed Jun 13 16:30:00 BST 2012
On 06/12/2012 04:29 PM, Simon Kelley wrote:
> On 12/06/12 11:14, Davy Stoffel wrote:
>> Hi,
>>
>> RFC 3330 defines some private ranges (like RFC 1918)
>> Dnsmasq should not return these ranges.
>>
>> For example, 192.0.2.0/24 (TEST-NET) is returned when dns-rebind is
>> enabled (v 2.55).
>
> I think that 192.0.2.0/24 is the only extra one there that might fit,
> but does it really? DNS rebind attacks give access to internal
> addresses, but no sane network should be using the TEST-NET address
> internally. That's the equivalent of setting your internal domain to
> example.com.
Unfortunately, I saw some network (development environment) with this
range (192.0.2.0/24), maybe someone else ?
I know people should not use this subnet, but it is also subject to this
kind of attack.
>
>>
>> I see anything in the changelog related to this or maybe is it planned
>> in future releases ?
>
>
> No current plans, but it could be added if a consensus appears that it's
> a good idea.
>
> Opinions, anyone?
>
>
> Simon.
>
As said by Nicholas, protect ipv6 "private" range will be great!
Davy.
More information about the Dnsmasq-discuss
mailing list