Modify unbound rebind protection

SteveITS

@darcey In Unbound it's usually done by domain:

server:
private-domain: "example.net"

https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-resolver

Unchecking the System/Advanced option turns it off for all domains as I understand it.

darcey

@SteveITS

The rebind protection, as I understand it, adds the following to unbound.conf:

private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10

I want to replicate that, with the exception of 127.0.0.0/8.

Reason: To permit dnsbl and spf checks from a mailserver.
Whilst I was able to have DNSBL working by adding explicit hostnames:

private-domain: "zen.spamhaus.org"
private-domain: "b.barracudacentral.org"

This is not sufficient for SPF since you do not know the domains in advance. Instead, I disable dns-rebind protection, then manually create the RFC1918 ranges I still would like in unbound->custom dialog box.

But, my question is this, when dns-rebind protection is active in pfsense, is that code block above (in unbound.conf) the only modification generated in respect of unbound? I think it is, but just seeking confirmation.

Sorry that seems a bit longwinded, but it hopefully clears up what I am trying to do and why.

SteveITS

@darcey I get what your asking for. I don't know the specific answer though. I would guess, uncheck the option and look for files that change on pfSense. I would think it would rebuild the unbound config files when changes are applied. A restart will rebuild more (all?) config files.

The GUI protection I don't think is related to DNS at all but I don't think it turns off and on, it just is, and one can add alt hostnames.

I don't really get the comment about SPF though, that returns a TXT record so I would think is unaffected by any private IPs that might be in the TXT record...?

darcey

@SteveITS The spf check involves several (potentially up to 10) dns queries to finally verify if the IP is permitted to relay mail for the domain. Whilst the first query is for the spf TXT record (no problems there), there will eventually be an A record query, similar to a dnsbl lookup, of the form n.n.n.n.domain.tld. This will typically return an IP in the 127.0.0.0/8 range. If the domains spf policy is -all rather ~all, and default dns-rebind is active, the mail will be refused.
I have only just looked in to this. Previously, I simply configured unbound to exempt the dnsbl hosts I used. But that is not enough.
I now have dns rebind turned off and instead have in my unbound custom config the following:

#private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10

And dispensed with the private-domain: "example.net" lines for dnsbl sites, as they're no longer needed.

I checked using spfquery and packet capture, with rebind protection on and off.

So I think I've sorted it whilst retaining at least some dns-rebind protection. But I would still be very interested in any comments.

SteveITS

@darcey said in Modify unbound rebind protection:

there will eventually be an A record query, similar to a dnsbl lookup, of the form n.n.n.n.domain.tld. This will typically return an IP in the 127.0.0.0/8 range.

Oh I understand SPF. I wouldn’t expect private IPs to be used in SPF on the Internet though so I’d push back on that being “typical.” But if you need it for your scenario then sure you’d need this setting.

darcey

@SteveITS Maybe not typical but I don't see it as perculiar to my setup. Below is the response from an SPF lookup to a third party domain. It's what prompted me to look in to it:

~# spfquery --scope mfrom --id mailbox@mailln.custhelp.com --ip 138.1.83.23
pass

query 0x9733 TXT mailln.custhelp.com
query response 0x9733 TXT mailln.custhelp.com TXT
query 0xcfed TXT custhelp.com
query response 0xcfed TXT custhelp.com TXT TXT
query 0x5a19 TXT spf-a.rnmk.com
query response 0x5a19 TXT spf-a.rnmk.com TXT
query 0xbaa2 A 138.1.83.23.spf.rnmk.com
query response 0xbaa2 A 138.1.83.23.spf.rnmk.com A 127.0.0.2

But, with full DNS rebind protection, that's a fail since the 127.0.0.2 is not present in the final query response:

I'm very sketchy on SPF and had assumed from this the mechanism is similar to DNSBL. These localhost type addresses are interpretted by a mailserver rather than being siginificant as an actual IP. A kind of abuse/reuse of DNS A queries?

SteveITS

@darcey SPF is to let you know what IPs are allowed to send you mail for a domain. Your internet mail server would not receive mail for someone’s domain from 127.0.0.2. But I suppose that other domain could list internal IPs…?

Am not near a PC but https://www.kitterman.com/spf/validate.html (from openspf site) shows:

Found v=spf1 record for spf-a.rnmk.com:
v=spf1 ip4:129.152.0.0/17 ip6:2606:b400:8810::/44 -all

…which doesn’t look like your answer.

Bob.Dig

I am with SteveITS.
Checking this with mx-toolbox doesn't reveal a localhost address. So maybe this comes from pfBlockerNG-DNSBL in your case?

OT: I would like to disable dns rebind protection in pfSense but with that, I would loose the ability to use split-dns with a DNSSEC-enabled domain.

darcey

@Bob-Dig

I see the same response as Steve to that particular TXT query (spf-a.rnmk.com).

AIUI it is the resonse to the final A query that is determining whether the SPF check is a pass or fail.
I won't pretend to understand the logic behind the sequence of DNS queries but I now think there's nothing untoward here. (I am not using any DNSBL with unbound). As to the final query result of 127.0.0.2:

This is the last query

Domain Name System (response)
    Transaction ID: 0xbaa2
    Flags: 0x8180 Standard query response, No error
    Questions: 1
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 0
    Queries
        138.1.83.23.spf.rnmk.com: type A, class IN
            Name: 138.1.83.23.spf.rnmk.com
            [Name Length: 24]
            [Label Count: 7]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Answers
        138.1.83.23.spf.rnmk.com: type A, class IN, addr 127.0.0.2
            Name: 138.1.83.23.spf.rnmk.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 900 (15 minutes)
            Data length: 4
            Address: 127.0.0.2
    [Request In: 7]
    [Time: 0.457696000 seconds]

And this is the query and resulting SPF record that led to it:

Domain Name System (response)
    Transaction ID: 0xcfed
    Flags: 0x8180 Standard query response, No error
    Questions: 1
    Answer RRs: 2
    Authority RRs: 0
    Additional RRs: 0
    Queries
        custhelp.com: type TXT, class IN
            Name: custhelp.com
            [Name Length: 12]
            [Label Count: 2]
            Type: TXT (Text strings) (16)
            Class: IN (0x0001)
    Answers
        custhelp.com: type TXT, class IN
            Name: custhelp.com
            Type: TXT (Text strings) (16)
            Class: IN (0x0001)
            Time to live: 900 (15 minutes)
            Data length: 60
            TXT Length: 59
            TXT: v=spf1 include:spf-a.rnmk.com exists:%{i}.spf.rnmk.com -all
    [Request In: 3]
    [Time: 0.074070000 seconds]

I since found some information that helped me: The “exists” mechanism

The value of the last A response is apparently irrelevant, just that one exists. Then, the SPF check succeeds.

Thanks for helping me work through it and learn.

@Bob-Dig said in Modify unbound rebind protection:

OT: I would like to disable dns rebind protection in pfSense but with that, I would loose the ability to use split-dns with a DNSSEC-enabled domain

My thinking at the moment is to have dns-rebind protection for desktops, phones, iot devices but not for server applications. To that end I have a pihole with dns-rebind enabled and exceptions for the lan domainnames I use. Sorry I know next to nothing about DNSSEC.

SteveITS

@darcey re:exists, that’s the part I was missing. Not always easy to look at things on a phone. Might be the first time I’ve seen it used.

darcey

@SteveITS said in Modify unbound rebind protection:

Might be the first time I’ve seen it used.

I was completely clueless and it hadn't affected any other incoming mail as far as I am aware. So I guess it is an infrequently used SPF mechanism. Thanks for the help here and elsewhere.