It's always nice reading these things about your favourite firewall

  • Heffner also called on router vendors to build in DNS Rebinding mitigations into their routers directly.

    "The only router software that I know of that does this now is pfsense," Heffner said. "They contacted me when my Black Hat talk abstract went up."

  • Agreed - the interaction between the devs and community here are about as good as it gets.  Thanks for all that you do.

  • And just how does PFSense mitigate against this type of attack compared to competitors?

  • Well, the main way is by not allowing webGUI access using a hostname other than the one assigned to pfSense in version 2.0. There is an exception list for other hostnames used if needed, or IP address can be used without restriction, as that is not a security risk with DNS Rebinding attacks. These protections are on by default in 2.0 beta currently, even when upgrading from 1.x. It's always recommended to change the default administration password for the webGUI as well, and if you do this and are not logged into the webGUI (or are not logged into the same web browser used for other tasks), even attempts at DNS Rebinding attacks are unlikely to succeed because they would need to rely on a flaw in the LAN administration code to authenticate/change the firewall (this is the case even in 1.x). So the main recommendations beyond the build-in protections are: 1) use a different web browser for administration than for web browsing, and 2) change the default password to something secure (do this anyway!).

    At least that's what I'm familiar with. I'm sure someone else may have information about additional precautions taken.

Log in to reply