Unbound - small DNS Rebinding Security Issue
-
Hello.
Found a small DNS Rebinding Security issue, and that is that 127.0.0.0/8 is not covered by rebinding protection.Using "custom" config does not work at all (yelds a invalid config).
However, if you use File manager, you can easy go into: /usr/local/pkg/unbound.inc, scroll down until you find "private-address: 10.0.0.0/8" and then add the following entry:
private-address: 127.0.0.0/8
The whole block should read:
For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: 127.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10Testing tools should now report that you have full IPv4 DNS Rebinding protection, rather than "partial IPv4 DNS Rebinding protection".
Maybe this can be patched into the package?
-
you should contact the maintainer of unbound to get this added to the updated
package… (wagonza)nice catch.
-
@SunCatalyst:
you should contact the maintainer of unbound to get this added to the updated
package… (wagonza)… We both hope that he is reading this forum ? ;)
-
A bit late on this thread - but adding 127.0.0.0/8 would hinder mail servers making use of RBLs.