Unbound - small DNS Rebinding Security Issue



  • Hello.
    Found a small DNS Rebinding Security issue, and that is that 127.0.0.0/8 is not covered by rebinding protection.

    Using "custom" config does not work at all (yelds a invalid config).

    However, if you use File manager, you can easy go into: /usr/local/pkg/unbound.inc, scroll down until you find "private-address: 10.0.0.0/8" and then add the following entry:

    private-address: 127.0.0.0/8

    The whole block should read:

    For DNS Rebinding prevention

    private-address: 10.0.0.0/8
    private-address: 127.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: 192.254.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10

    Testing tools should now report that you have full IPv4 DNS Rebinding protection, rather than "partial IPv4 DNS Rebinding protection".

    Maybe this can be patched into the package?



  • you should contact the maintainer of unbound to get this added to the updated
    package… (wagonza)

    nice catch.



  • @SunCatalyst:

    you should contact the maintainer of unbound to get this added to the updated
    package… (wagonza)

    … We both hope that he is reading this forum ? ;)



  • A bit late on this thread - but adding 127.0.0.0/8 would hinder mail servers making use of RBLs.