Bug #8750
closed
DNS Rebinding check fails to block IPv6 representation of IPv4 addresses in Unbound
100%
Description
Not sure if this also affects DNSMasq.
If DNS Rebinding check is not disabled in Settings > Advanced, and a DNS server returns an IPv6 representation of an RFC 1918 IPv4 address for a hostname lookup, Unbound fails to block the result, allowing the resolution to complete successfully.
The following options should be added to the unbound.conf file to block the IPv6 representations of the RFC 1918 and APIPA address ranges when DNS Rebinding check is not disabled:
private-address: ::ffff:a00:0/104
private-address: ::ffff:a9fe:0/112
private-address: ::ffff:ac10:0/108
private-address: ::ffff:c0a8:0/112
Updated by JohnPoz _ over 6 years ago
Forget link to thread discussing it
https://forum.netgate.com/topic/133497/dns-rebind-protection-not-working
Great catch btw.. I have verified this as well, dig does not return value since its only doing A.. but windows nslookup will return AAAA that as A.. The question is what does say a browser do..
Updated by Jim Pingle over 6 years ago
- Assignee set to Jim Pingle
- Target version set to 2.4.4
- Affected Version set to All
- Affected Architecture All added
- Affected Architecture deleted (
)
Updated by Jim Pingle over 6 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset df0a71cbf096e4990d302a12bd274d8e47102957.
Updated by Vladimir Lind over 6 years ago
- Status changed from Feedback to Resolved
On 2.4.3-p1:
Shell Output - nslookup net10.rebindtest.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: net10.rebindtest.com
Address: ::ffff:10.0.0.1
On 2.4.4 Tue Aug 14 16:55:58 EDT 2018:
Server: 127.0.0.1
Address: 127.0.0.1#53
- Can't find net10.rebindtest.com: No answer
Looks good now.