DNS Rebinding check fails to block IPv6 representation of IPv4 addresses in Unbound
Not sure if this also affects DNSMasq.
If DNS Rebinding check is not disabled in Settings > Advanced, and a DNS server returns an IPv6 representation of an RFC 1918 IPv4 address for a hostname lookup, Unbound fails to block the result, allowing the resolution to complete successfully.
The following options should be added to the unbound.conf file to block the IPv6 representations of the RFC 1918 and APIPA address ranges when DNS Rebinding check is not disabled:
Forget link to thread discussing it
Great catch btw.. I have verified this as well, dig does not return value since its only doing A.. but windows nslookup will return AAAA that as A.. The question is what does say a browser do..
#4 Updated by Vladimir Lind 9 months ago
- Status changed from Feedback to Resolved
Shell Output - nslookup net10.rebindtest.com
On 2.4.4 Tue Aug 14 16:55:58 EDT 2018:
- Can't find net10.rebindtest.com: No answer
Looks good now.