[Dnsmasq-discuss] Update rebind attack protection to include IP6 delegation

Eric Luehrsen ericluehrsen at gmail.com
Sat Jan 27 21:09:01 GMT 2018


This is a request for feature feasibility or acceptability.

Some circumstances may be vulnerable to DNS rebinding attacks against 
global IPv6 address. Through DHPCv6-PD the local network is a uniquely 
identifying global subnet. This makes DNS rebinding to a local machine 
on its global IPv6 as easy as traditional RFC1918. It would be a good 
idea to eliminate any local network IP (RFC1918 or otherwise) from 
global DNS responses.

For dnsmasq, this could be implemented with a few options or option 
variations. One option is to rebind protect range on all DHCP served 
address, if outside of the normal local IPv4/6 ranges. Another option 
would add the IPv4/6 discovered on an interface to the rebind protection 
range. Granted few small installations (dnsmasq user base) have the cash 
for a global IPv4, but maybe implement this generically for 
completeness. This could either reuse the current option or create a new 
option. The following is just a rough concept.

--stop-dns-rebind
without sub options, it takes its original actions

--stop-dns-rebind=dhcp,[tag],[tag],...
add DHCPv4/v6 address into the rebind protection range. Tag is optional 
to include only include limited subnets, else all DHCP server ranges are 
added.

--stop-dns-rebind=interface:name
uses the same method as the DHCPv6 construction to obtain the subnet 
IPv6 prefix. May not work or be implemented for IPv4.

--stop-dns-rebind=address:ipv4/v6
just insert any address into the rebind protection range.

Notable use case: if you actually have outward facing servers such as 
http or vpn, then they should probably be on a unique subnet DMZ. If 
excluding those interfaces in the rebind protection (maybe =dhcp,[tag]), 
or running a separate dnsmasq instance for the subnet, then such subnet 
would resolve globally and locally without filtering.

Eric


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20180127/cbe042da/attachment.html>


More information about the Dnsmasq-discuss mailing list