4

What options do I have for blocking DNS query responses containing a specific IP address or range?

I'm reading up on DNS Rebinding attacks, and wondering how I might block them.

When an attacker attempts a rebinding attack, they will attempt to trick the browser into believing that the malicious content was served from 127.0.0.1 or an address within my LAN. They do so by configuring their DNS server to serve the fraudulent address (when queried from within the malicious script). I would like to prevent this by blocking all responses to forwarded DNS queries that result in a local or LAN address.

I use a Bind9 zone for my local network and use forwarders to resolve external addresses.

The Bind box is a Debian server behind my NAT router. It runs UFW for firewall, and allows TCP/UDP over port 53.

Improve this question
2
  • Have you read up on Response Policy Zones (RPZ), they can do what you want and is included in BIND9. dnsrpz.info
    – milli
    Commented Jan 24, 2018 at 8:39
  • I don't think that RPZ can be used for this. I believe that RPZ is only capable of filtering requests. The question refers to responses from unknown request domains but with local addresses in the response. Bind does have a feature to do this as described in my answer below.
    – davefiddes
    Commented Jun 20, 2018 at 10:44

1 Answer 1

Reset to default
2

It is possible to get Bind to filter the addresses returned using the deny-answer-addresses feature. To use this add the following to the options section of your /etc/bind/named.conf.options configuration file:

deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };

This will prevent any 192.0.2.x address from being returned in response to any DNS query except from the locally hosted example.net domain.

The Bind manual also recommends filtering aliases with:

deny-answer-aliases { "example.net"; };

A suggested set of filters I found at http://www.sput.nl/internet/dns-morons.html seems to cover the most common DNS rebinding attacks based on my own testing:

deny-answer-addresses {
    // Unconfigured
    0.0.0.0;
    // RFC 1918
    10.0.0.0/8;
    172.16.0.0/12;
    192.168.0.0/16;
    // RFC 3927
    169.254.0.0/16;
    // IPv6
    // :: to ::ffff:ffff:ffff.
    // Includes ::, ::1, IPv4-Compatible IPv6 Addresses ::/96,
    // and IPv4-mapped IPv6 addresses ::ffff:0:0/96
    ::/80;
    // IPv6 Link local
    fe80::/10;
    // RFC 6052
    64:ff9b::/96;
} except-from { "Your.Domain"; };
deny-answer-aliases { "Your.Domain"; };

It's probably not a good idea to exclude 127.0.0.0/8 as it is often used by services like spam block lists.

Improve this answer
3
  • Thank you! I'll evaluate your response over the coming weekend, when I have a little time to fiddle with it. looks promising.
    – Frank Thomas
    Commented Jun 20, 2018 at 12:29
  • Sorry for the significant delay in acceptance. I've looked into this config, and it looks like what I was looking for. I do wish I was finding a good way to test it though. Thanks again!
    – Frank Thomas
    Commented May 4, 2019 at 2:34
  • No problem. I used Brannon Dorsey's rebind.network test site (code github.com/brannondorsey/dns-rebind-toolkit) and wireshark to test. Not comprehensive but easy enough to test before and after enabling the change.
    – davefiddes
    Commented May 5, 2019 at 22:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .