This is a request for feature feasibility or acceptability.
Some circumstances may be vulnerable to DNS rebinding attacks against
global IPv6 address. Through DHPCv6-PD the local network is a uniquely
identifying global subnet. This makes DNS rebinding to a local machine
on its global IPv6 as easy as traditional RFC1918. It would be a good
idea to eliminate any local network IP (RFC1918 or otherwise) from
global DNS responses.
For dnsmasq, this could be implemented with a few options or option
variations. One option is to rebind protect range on all DHCP served
address, if outside of the normal local IPv4/6 ranges. Another option
would add the IPv4/6 discovered on an interface to the rebind protection
range. Granted few small installations (dnsmasq user base) have the cash
for a global IPv4, but maybe implement this generically for
completeness. This could either reuse the current option or create a new
option. The following is just a rough concept.
without sub options, it takes its original actions
add DHCPv4/v6 address into the rebind protection range. Tag is optional
to include only include limited subnets, else all DHCP server ranges are
uses the same method as the DHCPv6 construction to obtain the subnet
IPv6 prefix. May not work or be implemented for IPv4.
just insert any address into the rebind protection range.
Notable use case: if you actually have outward facing servers such as
http or vpn, then they should probably be on a unique subnet DMZ. If
excluding those interfaces in the rebind protection (maybe =dhcp,[tag]),
or running a separate dnsmasq instance for the subnet, then such subnet
would resolve globally and locally without filtering.
Dnsmasq-discuss mailing list