Correction #14123
closed
DNS Rebinding pfsense documentation
100%
Description
DNS protection documentation here: <https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-protection> states:
"When DNS rebinding attack protection is active the DNS Resolver strips RFC 1918 addresses from DNS responses."
This type of protection comes from the pfsense GUI Disable DNS Rebinding Checks, which uses the private-address: setting from unbound. Activating this option, removes addresses in the 127.0.0.0/8 range on top of the private RFC 1918 addresses.
Feel free to call me an idiot but I belive the 127.0.0.0/8 range is not included in RFC 1918 thus a correction should be helpful for people that use DNSBL which often use that range.
The unbound documentation explicitely states how using this range hinders spamblocklists. <https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html>
Files
Updated by Jim Pingle about 1 year ago
- Status changed from New to Closed
- Assignee set to Jim Pingle
- % Done changed from 0 to 100
This should hopefully be more clear now.
I updated the text a bit, added more information, and corrected references to the various address ranges, plus added some mentions of RBLs and so on.
https://gitlab.netgate.com/docs/pfSense-docs/-/commit/ba729b95b3b99b311c191e669e302bc890598927