ItzTrainJun 5, 2024

How does the #homelab #hommies feel about putting internal ip's on external DNS servers?

#selfhosted #dns

Show threadElectronic EelJun 5, 2024
@train they will be blocked by DNS rebind protection when you try to resolve them. So I don't think it is a good idea
Show threadItzTrainJun 5, 2024
@electronic_eel Wait what!! Speak the english!!
Show threadTuhgy

@train @electronic_eel Copied from the dnsmasq manpage:

Reject (and log) addresses from upstream nameservers which are in the private ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network. For IPv6, the private range covers the IPv4-mapped addresses in private space plus all link-local (LL) and site-local (ULA) addresses.This is the way OpenWrt works by default.

Jun 5, 2024 at 4:30pmWeb
Show threadItzTrainJun 5, 2024
@tuhgy @electronic_eel So this happens client side? Damn way to bust my bubble #hommies 🤣
Show threadTuhgyJun 5, 2024
@train @electronic_eel It can be configurable. It depends entirely on your setup. For example in OPNsense there's a toggle here: https://docs.opnsense.org/manual/settingsmenu.html#web-gui

Look for "DNS Rebind Check".
Settings — OPNsense documentation

Show threadElectronic EelJun 5, 2024
@train @tuhgy yes, it happens client-side. And you usually want to have it enabled to help protect your local net from malicious javascript
Show threadTuhgyJun 5, 2024
@electronic_eel @train That's actually very interesting, I just read https://en.wikipedia.org/wiki/DNS_rebinding#How_DNS_rebinding_works
DNS rebinding - Wikipedia

Show threadItzTrainJun 5, 2024
@tuhgy @electronic_eel So I'm trying to contextualize the security implications of this on a home network. Is this like you on some tin foil hat type stuff. Yes technically is a security concern, but you doing way to much! Or this has some heft to it and you probably should use this.
Show threadElectronic EelJun 5, 2024

@train @tuhgy difficult to say. The attack vector is well known for years, the required infra & code not very difficult. so someone pulling this off is not unreasonable. You just need a widespread kind of vulnerable device on common local IPs that makes mass attacks pay off. But I haven't seen actual attacks or heard of them.

So I think setting up protection against it is a good idea, also because it is easily done on many router platforms.

Show threadItzTrainJun 5, 2024
@electronic_eel @tuhgy Solid! Thank you!!
Show threadTuhgyJun 5, 2024
@train @electronic_eel I personally use split-dns, or don't even use external DNS and only provide it for subdomains. However Pi-hole does have a suggestion to disable rebind protection. And there's Netgate that says to add an exclusion for specific domains: https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html
DNS Rebinding Protections | pfSense Documentation

Show threadTuhgyJun 5, 2024
@train @electronic_eel Also NextDNS does not have it enabled by default: https://help.nextdns.io/t/35hmval/what-is-dns-rebinding-protection
What is DNS Rebinding Protection?

DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side…

NextDNS Help Center