Anti DNS Rebinding patch for Dnsmasq



  • Maybe an idea to build into pfSense?

    (Quote: Collin R. Mulliner)
    here is a patch for Dnsmasq (the very popular DHCP server and DNS forwarder and cache) that will prevent DNS rebinding attacks against private networks (192.168,10.,…). The patch basically adds a filter to the forward resolver of Dnsmasq. The filter will basically drop all private IP addresses contained in answers. Of course this will not prevent a rebinding attack against other IP ranges like if your local network uses some public IP range. But since Dnsmasq is mainly used for home Cable/DSL routers (like the OpenWRT-based routers) this patch should offer sufficient protection.

    dnsmasq_stopdnsrebind.patch (for dnsmasq 2.40)

    To activate the DNS rebinding protection add --stop-dns-rebinding to the dnsmasq command line. I made it a command line option since dnsmasq is also used as a DNS cache on clients (e.g. Nokia N800) and you still want to be able to resolve local IP addresses.

    dnsmasq with dns rebinding protection:
    http://www.thekelleys.org.uk/dnsmasq/test-releases/dnsmasq-2.41test11.tar.gz

    orginal patch: 
    http://www.mulliner.org/blog/blosxom.cgi/security/dnsmasq_dnsrebinding_protection_patch.html



  • Support for this is in 2.0.


Log in to reply