[Dnsmasq-discuss] Feature enhancement to rebind protection

Eric Luehrsen ericluehrsen at gmail.com
Sun Jan 28 16:17:44 GMT 2018 

>> wrt misdirected thread: 
>> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011922.htm
>> Some circumstances may be vulnerable to DNS rebinding attacks against 
>> global IPv6 address. Through DHPCv6-PD the local network is a 
>> uniquely identifying global subnet. This makes DNS rebinding to a 
>> local machine on its global IPv6 as easy as traditional RFC1918. It 
>> would be a good idea to eliminate any local network IP (RFC1918 or 
>> otherwise) from global DNS responses... ... 
>> Notable use case: if you actually have outward facing servers such as 
>> http or vpn, then they should probably be on a unique subnet DMZ. If 
>> excluding those interfaces in the rebind protection (maybe 
>> =dhcp,[tag]), or running a separate dnsmasq instance for the subnet, 
>> then such subnet would resolve globally and locally without filtering.
> I  would consider that a BUG (Actually it does exist as bug ... in AVM
> Fritz!Boxes).
> Public IPs are public IPs are public IPs.
>
> One  of  the  benefits of IPv6 is, that everybody incl. normal private
> users, can finally get*public*  IPs for all devices.
> This  effectively removes the need to use different IPs (and sometimes
> even  ports)  for  access to the very same ressources, depending on if
> you are at home/at your office or outside.
>
> That means I can put up a web server on 2001:db8:dead::beef, create an
> AAAA  record  for it and use that new host name from inside as well as
> from the outside of my LAN.
> No  need  to  use 192.168.blah.blubb:80 from inside and bla.dyn.com:88
> from the outside ....
>
> So actually I want my hostnames to resolve anywhere, also at home.

Hi Ziggy,

It would not be a Bug if it is an appropriately selectable option for 
local administration to configure for their own security requirements. 
Local administration may already want anonymity for their client 
computers. IPv6 obscurity is a desired option implemented in RFC 4941 
and discussed more in RFC 7721 for example. The general theme should be, 
however, that local security is a decision to be left to the authority 
over the respective network. Tools and options should be made available 
to make the necessary choices possible.

I had already imagined your concerns, and attempted to address them the 
use case. Externally facing servers should be placed in a DMZ, or that 
is a specially configured subnet separate from the client access local 
subnet. This includes special firewall, DHCP, DNS and other network 
configuration rules. Also dnsmasq has a white list domain option for 
rebinding protection "--rebind-domain-ok" which allows that your own 
domain may resolve with local network address. This allows for one, 
dnsmasq to work in chains through routed subnets in corporate 
configuration. Yet still protected, "customer97134.ad-pirates.net" 
cannot resolve to your local address.

Hopefully this clarifies the idea.

Eric

More information about the Dnsmasq-discuss mailing list