Comment by X-Istence

Comment by X-Istence 10 months ago

4 replies

Not resolving 127.0.0.1 or RFC1918 addresses or even ULA for IPv6 is done to avoid DNS rebinding attacks. For most end users that is probably the correct move.

lxgr 10 months ago

My home router even seems to inspect any UDP/53 traffic and redact any responses containing local/private A entries, so not even switching to a public resolver bypasses the protection.

I agree that it’s usually the right behavior.

  • cj 10 months ago

    Interesting. I hadn’t considered it might be a security feature of his router!

    • lxgr 10 months ago

      In case you want to look into it further: My router actually allows adding exemptions to this policy on a per-hostname basis!

      Sometimes I wish it would allow wildcards, but honestly that's probably just another way for users to shoot themselves in the foot (e.g. by adding '*').

      • RulerOf 10 months ago

        > Sometimes I wish it would allow wildcards

        pfSense for example uses unbound, and while it doesn't have a switch for disabling rebind protection, it does allow injecting arbitrary unbound config, which can disable rebind protection for any depth of a DNS zone or IP space. E.g.:

            server:
            private-address: 192.168.0.1/24
            private-domain: plex.direct