[Dnsmasq-discuss] --stop-dns-rebind throws out an entire response even when it contains valid (non-private) addresses

Mark Mentovai mark at moxienet.com
Sun Aug 23 18:22:00 BST 2015


Simon and friends,

I’ve found that dnsmasq (I’m using 2.73) with --stop-dns-rebind enabled
discards an entire DNS response even when only one of the addresses that it
contains would constitute a possible rebind attack. I would have expected
it to only discard the invalid address.

I searched this mailing list and found that Leonid Isaev asked this
question last year[1], but there were no responses.

I’m currently seeing this problem when attempting to resolve a name whose
server almost definitely shouldn’t be responding with a private-use
address. Rather than accepting the valid public address, dnsmasq discards
both.

Here’s my query:

$ dig +nocmd +noquestion +nostats www.titantv.com. @8.8.8.8
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50293
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; ANSWER SECTION:
www.titantv.com. 21151 IN A 66.43.219.201
www.titantv.com. 451 IN A 192.168.10.173

But when I run the same query against dnsmasq, I get an empty answer:

$ dig +nocmd +noquestion +nostats www.titantv.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39921
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

and dnsmasq logs:

Sun Aug 23 17:15:17 2015 daemon.warn dnsmasq[1524]: possible DNS-rebind
attack detected: www.titantv.com

I expected dnsmasq to discard 192.168.10.173 but still respond with
66.43.219.201. Is its behavior intentional?

[1]
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q3/008754.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150823/ae1c04ad/attachment.html>


More information about the Dnsmasq-discuss mailing list