DNS rebind protection not working
-
SO... interesting thing here...
I found this doing a DNS lookup through the pfSense webgui... the IPv4 result being returned is blocked... but there is also an IPv6 version of the IPv4 address that isn't being blocked. Many regular DNS clients will show the IPv6 result here as the IPv4 address, but it shows as a AAAA record in the lookup details through pfSense.
The unbound.conf man page shows in the private-address section that blocking ::ffff:0:0/96 would block the IPv6 representation of IPv4 addresses... though you could get more granular to just block the specific IPv4 blocks in their IPv6 representations (there may be legitimate instances where using an IPv6 version of an IPv4 address might be necessary). These ranges would be...
- ::ffff:a00:0/104 (aka 10.0.0.0/8)
- ::ffff:a9fe:0/112 (aka 169.254.0.0/16)
- ::ffff:ac10:0/108 (aka 172.16.0.0/12)
- ::ffff:c0a8:0/112 (aka 192.168.0.0/16)
Maybe to fully ensure rebinding protection is effective, these should be added to the unbound config as well?
Edit to add: I added those through the custom options box for Unbound and it's now failing to return results for the rebind test hostnames.
-
@virgiliomi said in DNS rebind protection not working:
::ffff:c0a8:0/112
Good work!
I see "access-control: <IP netblock> <action>" in the documentation for unbound, but that says "The action deny stops queries from hosts from that netblock." Which isn't really what we are looking for since we want to strip those IP ranges from the responses rather than block queries.
Can you tell me what exactly you added to the unbound custom options box in order to set this up?
Thanks
-
The private-address option is what you want to use. With it, you can specify IP address ranges that should be considered private, and Unbound will strip the address from any result that might otherwise return it.
Here's what I added to the custom options...
server: private-address: ::ffff:a00:0/104 private-address: ::ffff:a9fe:0/112 private-address: ::ffff:ac10:0/108 private-address: ::ffff:c0a8:0/112
If you already have a
server:
line for other options, you can omit that... otherwise, this should do the job. The IPv4 blocks are all using the same option.Also created bug 8750 in Redmine for this.
-
Confirmed that this fix is working.
I just went to the web interface and put this into custom options:
server:
private-address: ::ffff:a00:0/104
private-address: ::ffff:a9fe:0/112
private-address: ::ffff:ac10:0/108
private-address: ::ffff:c0a8:0/112 -
I updated the redmine link with this thread.. Should be an easy fix.. And your work around should be fine.. Have added it to my options as well and set the redmine to watched.
-
Looks like already got a fix out
https://redmine.pfsense.org/issues/8750#change-37534 -
Thanks @jimp!
-
I noticed this myself, thanks for work-around until officially fixed.
Just got my Netgate SG-3100 today.
Sadly not working for me though.
On Services > DNS Forwarder, "General DNS Forwarder Options" page "services_dnsmasq.php", under "Custom options":
server: private-address: ::ffff:a00:0/104 private-address: ::ffff:a9fe:0/112 private-address: ::ffff:ac10:0/108 private-address: ::ffff:c0a8:0/112
Save button and get:
The following input errors were detected: Invalid custom options
Log page @ status_logs.php?logfile=resolver, shows:
Aug 29 23:03:46 dnsmasq 10949 bad command line options: try --help Aug 29 23:03:46 dnsmasq 10949 FAILED to start up
-
Those options are for using the resolver (unbound) which is default - not the forwarder dnsmasq..
-
@johnpoz Thanks for that. Success. :)