Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Anti DNS Rebinding patch for Dnsmasq

    Scheduled Pinned Locked Moved
    DHCP and DNS
    2
    2
    3.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      energy
      last edited by

      Maybe an idea to build into pfSense?

      (Quote: Collin R. Mulliner)
      here is a patch for Dnsmasq (the very popular DHCP server and DNS forwarder and cache) that will prevent DNS rebinding attacks against private networks (192.168,10.,…). The patch basically adds a filter to the forward resolver of Dnsmasq. The filter will basically drop all private IP addresses contained in answers. Of course this will not prevent a rebinding attack against other IP ranges like if your local network uses some public IP range. But since Dnsmasq is mainly used for home Cable/DSL routers (like the OpenWRT-based routers) this patch should offer sufficient protection.

      dnsmasq_stopdnsrebind.patch (for dnsmasq 2.40)

      To activate the DNS rebinding protection add --stop-dns-rebinding to the dnsmasq command line. I made it a command line option since dnsmasq is also used as a DNS cache on clients (e.g. Nokia N800) and you still want to be able to resolve local IP addresses.

      dnsmasq with dns rebinding protection:
      http://www.thekelleys.org.uk/dnsmasq/test-releases/dnsmasq-2.41test11.tar.gz

      orginal patch: 
      http://www.mulliner.org/blog/blosxom.cgi/security/dnsmasq_dnsrebinding_protection_patch.html

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        Support for this is in 2.0.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post