This is a request for feature feasibility or acceptability.

Some circumstances may be vulnerable to DNS rebinding attacks against global IPv6 address. Through DHPCv6-PD the local network is a uniquely identifying global subnet. This makes DNS rebinding to a local machine on its global IPv6 as easy as traditional RFC1918. It would be a good idea to eliminate any local network IP (RFC1918 or otherwise) from global DNS responses.

For dnsmasq, this could be implemented with a few options or option variations. One option is to rebind protect range on all DHCP served address, if outside of the normal local IPv4/6 ranges. Another option would add the IPv4/6 discovered on an interface to the rebind protection range. Granted few small installations (dnsmasq user base) have the cash for a global IPv4, but maybe implement this generically for completeness. This could either reuse the current option or create a new option. The following is just a rough concept.

--stop-dns-rebind
without sub options, it takes its original actions

--stop-dns-rebind=dhcp,[tag],[tag],...
add DHCPv4/v6 address into the rebind protection range. Tag is optional to include only include limited subnets, else all DHCP server ranges are added.

--stop-dns-rebind=interface:name
uses the same method as the DHCPv6 construction to obtain the subnet IPv6 prefix. May not work or be implemented for IPv4.

--stop-dns-rebind=address:ipv4/v6
just insert any address into the rebind protection range.

Notable use case: if you actually have outward facing servers such as http or vpn, then they should probably be on a unique subnet DMZ. If excluding those interfaces in the rebind protection (maybe =dhcp,[tag]), or running a separate dnsmasq instance for the subnet, then such subnet would resolve globally and locally without filtering.

Eric
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to