Project

General

Profile

Feature #9304

DNS Rebind Protection should be configurable, defaults should be more sensible

Added by Andrew Bobulsky 16 days ago. Updated 16 days ago.

Status:
New
Priority:
Very Low
Assignee:
-
Category:
DNS Resolver
Target version:
-
Start date:
02/03/2019
Due date:
% Done:

0%

Estimated time:

Description

Problem

The DNS rebind protection approach currently being used by pfSense is too heavy handed. It indiscriminately blocks all RFC1918 ranges regardless of whether or not the resolver/forwarder is reasonably expected to be protecting those networks from potential rebind attacks.

This is a problem for me because I use a VPN that does not map a private DNS server, and instead all private hosts behind the VPN have their FQDNs available in public DNS. With pfSense's unbound resolver operating normally, I can't look up any of the domains behind my VPN because I'm being "protected" from resolving IPs that aren't even on the LAN side of my pfSense box anyway.

Request

  • Instead of outright blocking all RFC1918 results, block only ranges that pfSense has a link or route to by default.
  • Provide an option to disable the stock rebind protection altogether, which will then allow users to configure granular rebind protections directly in the unbound Custom options.

History

#1 Updated by Jim Pingle 16 days ago

  • Category set to DNS Resolver
  • Priority changed from Normal to Very Low

The default is fine as-is, it is the most secure assumption and safest.

There are documented ways to make exceptions: https://www.netgate.com/docs/pfsense/dns/dns-rebinding-protections.html

Someone could make a GUI option for that, but it's simple enough as-is that I'm not sure it's worth the effort.

#2 Updated by Andrew Bobulsky 16 days ago

The problem I ran into with the stock configuration is that there's absolutely no way to disable DNS rebind protection while still protecting the local network ranges.

Currently, the only way to disable rebind protection is by marking the DNS root as a private domain:

server:
private-domain: .

...but this supercedes all occurences of private-address, meaning it's impossible to make a configuration of the style I suggest, where only my local ranges are blocked from public DNS replies.

Also available in: Atom PDF