wrt misdirected thread: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011922.htm Some circumstances may be vulnerable to DNS rebinding attacks against global IPv6 address. Through DHPCv6-PD the local network is a uniquely identifying global subnet. This makes DNS rebinding to a local machine on its global IPv6 as easy as traditional RFC1918. It would be a good idea to eliminate any local network IP (RFC1918 or otherwise) from global DNS responses... ... Notable use case: if you actually have outward facing servers such as http or vpn, then they should probably be on a unique subnet DMZ. If excluding those interfaces in the rebind protection (maybe =dhcp,[tag]), or running a separate dnsmasq instance for the subnet, then such subnet would resolve globally and locally without filtering.
I  would consider that a BUG (Actually it does exist as bug ... in AVM
Public IPs are public IPs are public IPs.

One  of  the  benefits of IPv6 is, that everybody incl. normal private
users, can finally get*public*  IPs for all devices.
This  effectively removes the need to use different IPs (and sometimes
even  ports)  for  access to the very same ressources, depending on if
you are at home/at your office or outside.

That means I can put up a web server on 2001:db8:dead::beef, create an
AAAA  record  for it and use that new host name from inside as well as
from the outside of my LAN.
No  need  to  use 192.168.blah.blubb:80 from inside and bla.dyn.com:88
from the outside ....

So actually I want my hostnames to resolve anywhere, also at home.

Hi Ziggy,

It would not be a Bug if it is an appropriately selectable option for local administration to configure for their own security requirements. Local administration may already want anonymity for their client computers. IPv6 obscurity is a desired option implemented in RFC 4941 and discussed more in RFC 7721 for example. The general theme should be, however, that local security is a decision to be left to the authority over the respective network. Tools and options should be made available to make the necessary choices possible.

I had already imagined your concerns, and attempted to address them the use case. Externally facing servers should be placed in a DMZ, or that is a specially configured subnet separate from the client access local subnet. This includes special firewall, DHCP, DNS and other network configuration rules. Also dnsmasq has a white list domain option for rebinding protection "--rebind-domain-ok" which allows that your own domain may resolve with local network address. This allows for one, dnsmasq to work in chains through routed subnets in corporate configuration. Yet still protected, "customer97134.ad-pirates.net" cannot resolve to your local address.

Hopefully this clarifies the idea.


Dnsmasq-discuss mailing list

Reply via email to