Project

General

Profile

Bug #8750

DNS Rebinding check fails to block IPv6 representation of IPv4 addresses in Unbound

Added by Michael Virgilio 10 months ago. Updated 9 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
DNS Resolver
Target version:
Start date:
08/04/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

Not sure if this also affects DNSMasq.

If DNS Rebinding check is not disabled in Settings > Advanced, and a DNS server returns an IPv6 representation of an RFC 1918 IPv4 address for a hostname lookup, Unbound fails to block the result, allowing the resolution to complete successfully.

The following options should be added to the unbound.conf file to block the IPv6 representations of the RFC 1918 and APIPA address ranges when DNS Rebinding check is not disabled:

private-address: ::ffff:a00:0/104
private-address: ::ffff:a9fe:0/112
private-address: ::ffff:ac10:0/108
private-address: ::ffff:c0a8:0/112

Associated revisions

Revision df0a71cb (diff)
Added by Jim Pingle 10 months ago

Add IPv6 version of IPv4 private nets to DNS Rebinding list. Fixes #8750

History

#1 Updated by JohnPoz _ 10 months ago

Forget link to thread discussing it
https://forum.netgate.com/topic/133497/dns-rebind-protection-not-working

Great catch btw.. I have verified this as well, dig does not return value since its only doing A.. but windows nslookup will return AAAA that as A.. The question is what does say a browser do..

#2 Updated by Jim Pingle 10 months ago

  • Assignee set to Jim Pingle
  • Target version set to 2.4.4
  • Affected Version set to All
  • Affected Architecture set to All

#3 Updated by Jim Pingle 10 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#4 Updated by Vladimir Lind 9 months ago

  • Status changed from Feedback to Resolved

On 2.4.3-p1:

Shell Output - nslookup net10.rebindtest.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: net10.rebindtest.com
Address: ::ffff:10.0.0.1

On 2.4.4 Tue Aug 14 16:55:58 EDT 2018:

Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
  • Can't find net10.rebindtest.com: No answer

Looks good now.

Also available in: Atom PDF