Comment by lxgr
My home router even seems to inspect any UDP/53 traffic and redact any responses containing local/private A entries, so not even switching to a public resolver bypasses the protection.
I agree that it’s usually the right behavior.
My home router even seems to inspect any UDP/53 traffic and redact any responses containing local/private A entries, so not even switching to a public resolver bypasses the protection.
I agree that it’s usually the right behavior.
In case you want to look into it further: My router actually allows adding exemptions to this policy on a per-hostname basis!
Sometimes I wish it would allow wildcards, but honestly that's probably just another way for users to shoot themselves in the foot (e.g. by adding '*').
> Sometimes I wish it would allow wildcards
pfSense for example uses unbound, and while it doesn't have a switch for disabling rebind protection, it does allow injecting arbitrary unbound config, which can disable rebind protection for any depth of a DNS zone or IP space. E.g.:
server:
private-address: 192.168.0.1/24
private-domain: plex.direct
Interesting. I hadn’t considered it might be a security feature of his router!