Interesting read. Yet another way your home IoT devices can be pwned.
https://medium.com/@brannondorsey/a...-the-internet-with-dns-rebinding-ea7098a2d325
https://medium.com/@brannondorsey/a...-the-internet-with-dns-rebinding-ea7098a2d325
From what I recall dnsmasq indeed has DNS rebinding protection but it's disabled by default.
Jun 21 17:48:18 dnsmasq[29899]: possible DNS-rebind attack detected: dummytest.lostrealm.ca
Thanks @RMerlin, although it begs the question "If stop-dns-rebind is a good thing why isn't it enabled by default? What's the catch?".EDIT: confirmed, as of dnsmasq 2.80 at least, rebind protection is not enabled by default. Users of my firmware can easily enable it by creating a dnsmasq.conf.add containing "stop-dns-rebind" then restarting dnsmasq.
DNSSEC can help if the clients and DNS server support it, by ensuring that the resolution has not been tampered with... and dnsmasq does support DNSSEC
DNSSEC does not protect against DNS rebind attacks because nothing is tampered with during transit.
It's a signed response - so trust is established with DNSSEC if the client supports it.
You make a point though, if the TTL is still valid, one can play games with cached data until the TTL expires.
I think you’re misunderstanding these recent iteration of DNS rebind attacks.
At the same time, I'm not going to get overly excited about it.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!