Comment by X-Istence
Not resolving 127.0.0.1 or RFC1918 addresses or even ULA for IPv6 is done to avoid DNS rebinding attacks. For most end users that is probably the correct move.
Not resolving 127.0.0.1 or RFC1918 addresses or even ULA for IPv6 is done to avoid DNS rebinding attacks. For most end users that is probably the correct move.
In case you want to look into it further: My router actually allows adding exemptions to this policy on a per-hostname basis!
Sometimes I wish it would allow wildcards, but honestly that's probably just another way for users to shoot themselves in the foot (e.g. by adding '*').
> Sometimes I wish it would allow wildcards
pfSense for example uses unbound, and while it doesn't have a switch for disabling rebind protection, it does allow injecting arbitrary unbound config, which can disable rebind protection for any depth of a DNS zone or IP space. E.g.:
server:
private-address: 192.168.0.1/24
private-domain: plex.direct
My home router even seems to inspect any UDP/53 traffic and redact any responses containing local/private A entries, so not even switching to a public resolver bypasses the protection.
I agree that it’s usually the right behavior.