Re: [Dnsmasq-discuss] Update rebind attack protection to include IP6 delegation
> Some circumstances may be vulnerable to DNS rebinding attacks > against global IPv6 address. Through DHPCv6-PD the local network is > a uniquely identifying global subnet. This makes DNS rebinding to a > local machine on its global IPv6 as easy as traditional RFC1918. It > would be a good idea to eliminate any local network IP (RFC1918 or > otherwise) from global DNS responses. I would consider that a BUG (Actually it does exist as bug ... in AVM Fritz!Boxes). Public IPs are public IPs are public IPs. One of the benefits of IPv6 is, that everybody incl. normal private users, can finally get *public* IPs for all devices. This effectively removes the need to use different IPs (and sometimes even ports) for access to the very same ressources, depending on if you are at home/at your office or outside. That means I can put up a web server on 2001:db8:dead::beef, create an record for it and use that new host name from inside as well as from the outside of my LAN. No need to use 192.168.blah.blubb:80 from inside and bla.dyn.com:88 from the outside So actually I want my hostnames to resolve anywhere, also at home. -- Kind regards Ziggy SpaceRat ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Update rebind attack protection to include IP6 delegation
This is a request for feature feasibility or acceptability. Some circumstances may be vulnerable to DNS rebinding attacks against global IPv6 address. Through DHPCv6-PD the local network is a uniquely identifying global subnet. This makes DNS rebinding to a local machine on its global IPv6 as easy as traditional RFC1918. It would be a good idea to eliminate any local network IP (RFC1918 or otherwise) from global DNS responses. For dnsmasq, this could be implemented with a few options or option variations. One option is to rebind protect range on all DHCP served address, if outside of the normal local IPv4/6 ranges. Another option would add the IPv4/6 discovered on an interface to the rebind protection range. Granted few small installations (dnsmasq user base) have the cash for a global IPv4, but maybe implement this generically for completeness. This could either reuse the current option or create a new option. The following is just a rough concept. --stop-dns-rebind without sub options, it takes its original actions --stop-dns-rebind=dhcp,[tag],[tag],... add DHCPv4/v6 address into the rebind protection range. Tag is optional to include only include limited subnets, else all DHCP server ranges are added. --stop-dns-rebind=interface:name uses the same method as the DHCPv6 construction to obtain the subnet IPv6 prefix. May not work or be implemented for IPv4. --stop-dns-rebind=address:ipv4/v6 just insert any address into the rebind protection range. Notable use case: if you actually have outward facing servers such as http or vpn, then they should probably be on a unique subnet DMZ. If excluding those interfaces in the rebind protection (maybe =dhcp,[tag]), or running a separate dnsmasq instance for the subnet, then such subnet would resolve globally and locally without filtering. Eric ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Update rebind attack protection to include IP6 delegation
This is a request for feature feasibility or acceptability. Some circumstances may be vulnerable to DNS rebinding attacks against global IPv6 address. Through DHPCv6-PD the local network is a uniquely identifying global subnet. This makes DNS rebinding to a local machine on its global IPv6 as easy as traditional RFC1918. It would be a good idea to eliminate any local network IP (RFC1918 or otherwise) from global DNS responses. For dnsmasq, this could be implemented with a few options or option variations. One option is to rebind protect range on all DHCP served address, if outside of the normal local IPv4/6 ranges. Another option would add the IPv4/6 discovered on an interface to the rebind protection range. Granted few small installations (dnsmasq user base) have the cash for a global IPv4, but maybe implement this generically for completeness. This could either reuse the current option or create a new option. The following is just a rough concept. --stop-dns-rebind without sub options, it takes its original actions --stop-dns-rebind=dhcp,[tag],[tag],... add DHCPv4/v6 address into the rebind protection range. Tag is optional to include only include limited subnets, else all DHCP server ranges are added. --stop-dns-rebind=interface:name uses the same method as the DHCPv6 construction to obtain the subnet IPv6 prefix. May not work or be implemented for IPv4. --stop-dns-rebind=address:ipv4/v6 just insert any address into the rebind protection range. Notable use case: if you actually have outward facing servers such as http or vpn, then they should probably be on a unique subnet DMZ. If excluding those interfaces in the rebind protection (maybe =dhcp,[tag]), or running a separate dnsmasq instance for the subnet, then such subnet would resolve globally and locally without filtering. Eric ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
