Project

General

Profile

Actions

Correction #14123

closed

DNS Rebinding pfsense documentation

Added by Alex Sensation almost 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
DNS
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:

Description

DNS protection documentation here: <https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-protection> states:

"When DNS rebinding attack protection is active the DNS Resolver strips RFC 1918 addresses from DNS responses."

This type of protection comes from the pfsense GUI Disable DNS Rebinding Checks, which uses the private-address: setting from unbound. Activating this option, removes addresses in the 127.0.0.0/8 range on top of the private RFC 1918 addresses.

Feel free to call me an idiot but I belive the 127.0.0.0/8 range is not included in RFC 1918 thus a correction should be helpful for people that use DNSBL which often use that range.

The unbound documentation explicitely states how using this range hinders spamblocklists. <https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html>


Files

clipboard-202303171859-9ytbh.png (124 KB) clipboard-202303171859-9ytbh.png Alex Sensation, 03/17/2023 05:59 PM
Actions #1

Updated by Jim Pingle over 1 year ago

  • Status changed from New to Closed
  • Assignee set to Jim Pingle
  • % Done changed from 0 to 100

This should hopefully be more clear now.

I updated the text a bit, added more information, and corrected references to the various address ranges, plus added some mentions of RBLs and so on.

https://gitlab.netgate.com/docs/pfSense-docs/-/commit/ba729b95b3b99b311c191e669e302bc890598927

Actions

Also available in: Atom PDF