Post by Eric Luehrsenhttp://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011922.htm
Some circumstances may be vulnerable to DNS rebinding attacks against
global IPv6 address. Through DHPCv6-PD the local network is a
uniquely identifying global subnet. This makes DNS rebinding to a
local machine on its global IPv6 as easy as traditional RFC1918. It
would be a good idea to eliminate any local network IP (RFC1918 or
otherwise) from global DNS responses... ...
Notable use case: if you actually have outward facing servers such as
http or vpn, then they should probably be on a unique subnet DMZ. If
excluding those interfaces in the rebind protection (maybe
=dhcp,[tag]), or running a separate dnsmasq instance for the subnet,
then such subnet would resolve globally and locally without filtering.
I would consider that a BUG (Actually it does exist as bug ... in AVM
Fritz!Boxes).
Public IPs are public IPs are public IPs.
One of the benefits of IPv6 is, that everybody incl. normal private
users, can finally get*public* IPs for all devices.
This effectively removes the need to use different IPs (and sometimes
even ports) for access to the very same ressources, depending on if
you are at home/at your office or outside.
That means I can put up a web server on 2001:db8:dead::beef, create an
AAAA record for it and use that new host name from inside as well as
from the outside of my LAN.
No need to use 192.168.blah.blubb:80 from inside and bla.dyn.com:88
from the outside ....
So actually I want my hostnames to resolve anywhere, also at home.
Hi Ziggy,
It would not be a Bug if it is an appropriately selectable option for
local administration to configure for their own security requirements.
Local administration may already want anonymity for their client
computers. IPv6 obscurity is a desired option implemented in RFC 4941
and discussed more in RFC 7721 for example. The general theme should be,
however, that local security is a decision to be left to the authority
over the respective network. Tools and options should be made available
to make the necessary choices possible.
I had already imagined your concerns, and attempted to address them the
use case. Externally facing servers should be placed in a DMZ, or that
is a specially configured subnet separate from the client access local
subnet. This includes special firewall, DHCP, DNS and other network
configuration rules. Also dnsmasq has a white list domain option for
rebinding protection "--rebind-domain-ok" which allows that your own
domain may resolve with local network address. This allows for one,
dnsmasq to work in chains through routed subnets in corporate
configuration. Yet still protected, "customer97134.ad-pirates.net"
cannot resolve to your local address.
Hopefully this clarifies the idea.
Eric