Bug #8750: DNS Rebinding check fails to block IPv6 representation of IPv4 addresses in Unbound - pfSense - pfSense bugtracker

Actions

Copy link

Bug #8750

closed

DNS Rebinding check fails to block IPv6 representation of IPv4 addresses in Unbound

Added by Anonymous over 5 years ago. Updated over 5 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

DNS Resolver

Target version:

2.4.4

Start date:

08/04/2018

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

All

Description

Not sure if this also affects DNSMasq.

If DNS Rebinding check is not disabled in Settings > Advanced, and a DNS server returns an IPv6 representation of an RFC 1918 IPv4 address for a hostname lookup, Unbound fails to block the result, allowing the resolution to complete successfully.

The following options should be added to the unbound.conf file to block the IPv6 representations of the RFC 1918 and APIPA address ranges when DNS Rebinding check is not disabled:

private-address: ::ffff:a00:0/104
private-address: ::ffff:a9fe:0/112
private-address: ::ffff:ac10:0/108
private-address: ::ffff:c0a8:0/112

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #8750

DNS Rebinding check fails to block IPv6 representation of IPv4 addresses in Unbound

Updated by JohnPoz _ over 5 years ago

Updated by Jim Pingle over 5 years ago

Updated by Jim Pingle over 5 years ago

Updated by Vladimir Lind over 5 years ago