Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS rebinding prevention blocks public IP range

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      markn62
      last edited by

      This aught to be an easy question but sure am google eyed.  :o

      Last I checked 192.254.0.0/16 was not part of the private IP pool.  The reason DNS rebinding prevention blocks it?  Unbound won't resolve klymit.com unless I disable rebind prevent.

      I was searching for a work-around and read to disabled dns forwarder but add a host or domain override there.  Nothing about DNSMasq in that GUI section tho.  Now the following entries are in the unbound config but not certain how they got there.  Can resolve the domain name now.  Not sure it still will be after reboot of PfSense.  Reads;

      DNSMasq Host overrides

      local-data-ptr: "192.254.190.194 klymit.com"
      local-data: "klymit.com IN A 192.254.190.194"

      1 Reply Last reply Reply Quote 0
      • M Offline
        markn62
        last edited by

        Think I found the problem. Simple typo error.

        In "Unbound Dns Settings" with "Private Address support" checked enabled, the following lands in the unbound configuration;

        For DNS Rebinding prevention

        private-address: 10.0.0.0/8
        private-address: 172.16.0.0/12
        private-address: 192.168.0.0/16
        private-address: 192.254.0.0/16
        private-address: fd00::/8
        private-address: fe80::/10

        If you read;
        http://www.unbound.net/documentation/unbound.conf.html it's obvious the addy should be 169.x.x.x not 192.x.x.x which is why klymit.com was not resolving.

        private-address: <ip address="" or="" subnet=""><snip>We consider to enable this for the  RFC1918 private  IP  address  space  by  default in later releases. That would enable  private  addresses  for  10.0.0.0/8  172.16.0.0/12  192.168.0.0/16  169.254.0.0/16 fd00::/8 and fe80::/10, since the RFC standards say these addresses should not be visible  on  the public internet.  Turning on 127.0.0.0/8 would hinder many spam blocklists as they use that.</snip></ip>

        1 Reply Last reply Reply Quote 0
        • M Offline
          markn62
          last edited by

          Secondly,  I thought I could leave "Private Address support" enabled and put a static host in the DNS forwarder which lands the following in the unbound.conf;

          DNSMasq Host overrides

          local-data-ptr: "192.254.190.194 klymit.com"
          local-data: "klymit.com IN A 192.254.190.194"

          The Private Address support note reads, "Domain Overrides and Host entries will be allowed to return answers if this option is enabled." If this is accurate, shouldn't the override above actually override the rebinding prevention below?

          For DNS Rebinding prevention

          private-address: 192.254.0.0/16

          1 Reply Last reply Reply Quote 0
          • W Offline
            wagonza
            last edited by

            Fixed. Geez that bug has been around for awhile!

            Thanks

            Follow me on twitter http://twitter.com/wagonza
            http://www.thepackethub.co.za

            1 Reply Last reply Reply Quote 0
            • D Offline
              doktornotor Banned
              last edited by

              People please revbump the package version when doing similar fixes. Otherwise noone gets a chance to notice and get them.

              1 Reply Last reply Reply Quote 0
              • M Offline
                markn62
                last edited by

                I would revbump if I knew how.  ::)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.