Hacker News new | past | comments | ask | show | jobs | submit login

Can this be solved by configuring the local system (e.g. Debian?) to blacklist any DNS resolution that ends up being a private IP address? Is this is possible to configure at the firewall level?



How about local IPv6 addresses? I can easily see this being left out due to sheer complexity.


I'm guessing that even in a future in which we have 100% of IPv6 deployment, we would still run our loopback/LAN interfaces with IPv4 for simplicity...


It's too late. I have already run into issues on Linux distros with some daemons binding to 127.0.0.1, but localhost resolving to ::1.


There is only one local IPv6 address:

::1/128

Unlike IPv4 there is not an entire /8.


IPv6 still has the whole IPv4-mapped range at ::ffff:127.0.0.0/104


You can run a dnsmasq locally with "--stop-dns-rebind".

I have this enabled on my router.


I was also going to mention this (https://doc.pfsense.org/index.php/DNS_Rebinding_Protections has a few notes).

dnsmasq has many other uses like tunneling all your DNS traffic through dnscrypt (https://www.opendns.com/about/innovations/dnscrypt/)


Ubiquiti router owners (I know there are a few on HN) can enable this option like so:

  ssh <router>
  configure
  set service dns forwarding options stop-dns-rebind
  commit
  save
/var/log/dnsmasq.log should contain the resolution failures after that. e.g.:

  Sep  1 21:48:41 dnsmasq[26479]: possible DNS-rebind attack detected: www.dropboxlocalhost.com




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: