Anti DNS Rebinding patch for Dnsmasq
-
Maybe an idea to build into pfSense?
(Quote: Collin R. Mulliner)
here is a patch for Dnsmasq (the very popular DHCP server and DNS forwarder and cache) that will prevent DNS rebinding attacks against private networks (192.168,10.,…). The patch basically adds a filter to the forward resolver of Dnsmasq. The filter will basically drop all private IP addresses contained in answers. Of course this will not prevent a rebinding attack against other IP ranges like if your local network uses some public IP range. But since Dnsmasq is mainly used for home Cable/DSL routers (like the OpenWRT-based routers) this patch should offer sufficient protection.dnsmasq_stopdnsrebind.patch (for dnsmasq 2.40)
To activate the DNS rebinding protection add --stop-dns-rebinding to the dnsmasq command line. I made it a command line option since dnsmasq is also used as a DNS cache on clients (e.g. Nokia N800) and you still want to be able to resolve local IP addresses.
dnsmasq with dns rebinding protection:
http://www.thekelleys.org.uk/dnsmasq/test-releases/dnsmasq-2.41test11.tar.gzorginal patch:
http://www.mulliner.org/blog/blosxom.cgi/security/dnsmasq_dnsrebinding_protection_patch.html -
Support for this is in 2.0.