DNS rebinding prevention blocks public IP range



  • This aught to be an easy question but sure am google eyed.  :o

    Last I checked 192.254.0.0/16 was not part of the private IP pool.  The reason DNS rebinding prevention blocks it?  Unbound won't resolve klymit.com unless I disable rebind prevent.

    I was searching for a work-around and read to disabled dns forwarder but add a host or domain override there.  Nothing about DNSMasq in that GUI section tho.  Now the following entries are in the unbound config but not certain how they got there.  Can resolve the domain name now.  Not sure it still will be after reboot of PfSense.  Reads;

    DNSMasq Host overrides

    local-data-ptr: "192.254.190.194 klymit.com"
    local-data: "klymit.com IN A 192.254.190.194"



  • Think I found the problem. Simple typo error.

    In "Unbound Dns Settings" with "Private Address support" checked enabled, the following lands in the unbound configuration;

    For DNS Rebinding prevention

    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: 192.254.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10

    If you read;
    http://www.unbound.net/documentation/unbound.conf.html it's obvious the addy should be 169.x.x.x not 192.x.x.x which is why klymit.com was not resolving.

    private-address: <ip address="" or="" subnet=""><snip>We consider to enable this for the  RFC1918 private  IP  address  space  by  default in later releases. That would enable  private  addresses  for  10.0.0.0/8  172.16.0.0/12  192.168.0.0/16  169.254.0.0/16 fd00::/8 and fe80::/10, since the RFC standards say these addresses should not be visible  on  the public internet.  Turning on 127.0.0.0/8 would hinder many spam blocklists as they use that.</snip></ip>



  • Secondly,  I thought I could leave "Private Address support" enabled and put a static host in the DNS forwarder which lands the following in the unbound.conf;

    DNSMasq Host overrides

    local-data-ptr: "192.254.190.194 klymit.com"
    local-data: "klymit.com IN A 192.254.190.194"

    The Private Address support note reads, "Domain Overrides and Host entries will be allowed to return answers if this option is enabled." If this is accurate, shouldn't the override above actually override the rebinding prevention below?

    For DNS Rebinding prevention

    private-address: 192.254.0.0/16



  • Fixed. Geez that bug has been around for awhile!

    Thanks


  • Banned

    People please revbump the package version when doing similar fixes. Otherwise noone gets a chance to notice and get them.



  • I would revbump if I knew how.  ::)


Log in to reply