/etc/inc/unbound.inc: Pfsense Default Unbound Configuration does not Prevent DNS Rebinding Attacks Against Localhost
By default Unbound attempts to prevent DNS rebinding attacks by stripping private (RFC1819) addresses out of DNS responses. DNS rebinding attacks can also be launched against localhost/loopback addresses. By default the Unbound configuration that Pfsense ships does not include localhost/loopback addresses in the list of "Private addresses" Unbound should strip out. This means a DNS rebinding attack against a loopback address will not be prevented even when "DNS Rebinding Checks" are enabled (Which is the default). An example of an attack chain that leverages DNS rebinding against loopback is this RCE against Blizzard's Battle.Net application: https://bugs.chromium.org/p/project-zero/issues/detail?id=1471. A more recent example involving stealing cryptocurrency is https://blog.ret2.io/2019/08/28/sia-coin-dns-rebinding/.
This can be resolved by adding "private-address: 127.0.0.0/8" to the list of private addresses in "/etc/inc/unbound.inc" (https://github.com/pfsense/pfsense/blob/master/src/etc/inc/unbound.inc).