Project

General

Profile

Actions

Feature #9304

closed

DNS Rebind Protection should be configurable, defaults should be more sensible

Added by Andrew Bobulsky almost 6 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Very Low
Assignee:
-
Category:
DNS Resolver
Target version:
-
Start date:
02/03/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Problem

The DNS rebind protection approach currently being used by pfSense is too heavy handed. It indiscriminately blocks all RFC1918 ranges regardless of whether or not the resolver/forwarder is reasonably expected to be protecting those networks from potential rebind attacks.

This is a problem for me because I use a VPN that does not map a private DNS server, and instead all private hosts behind the VPN have their FQDNs available in public DNS. With pfSense's unbound resolver operating normally, I can't look up any of the domains behind my VPN because I'm being "protected" from resolving IPs that aren't even on the LAN side of my pfSense box anyway.

Request

  • Instead of outright blocking all RFC1918 results, block only ranges that pfSense has a link or route to by default.
  • Provide an option to disable the stock rebind protection altogether, which will then allow users to configure granular rebind protections directly in the unbound Custom options.
Actions

Also available in: Atom PDF