Hacker News new | ask | show | jobs
by TacticalCoder 917 days ago
Wait... Can DNS resolvers be configured so that RFC1918 is respected?

I mean: I don't expect anything less from Microsoft than doing stuff like that and it cannot affect me for I nullroute microsoft.com from my unbound server (unboud takes wildcard when nullrouting or NXDOMAINing crap domains like microsoft.com or meta.com etc., which is sweet).

However I'd expect my trusty DNS resolver to also prevent me from anyone not on my private LANs to impersonate addresses reserved for private uses.

Does anyone know here if it's easily doable?
4 comments
dgl 917 days ago
You're looking for DNS rebinding protection, many DNS servers support it. However there are some cases where things do use private IPs in DNS records outside of the local domain, one example is Plex (e.g. https://support.plex.tv/articles/206225077-how-to-use-secure... suggests turning off DNS rebinding protection) -- although in some cases you can allow particular domains which is a much better way than turning it off entirely.

(See also the sibling comment about microsoft.com being IPv6 only as a result of a particular implementation of DNS rebinding protection: https://news.ycombinator.com/item?id=38704159)

link
bewaretheirs 917 days ago
Yes, some can.

Unbound's "private-address" and "private-domain" directives control this.

Similarly, bind9 has "deny-answer-addresses" (with an "except-from" option so you can specify local domains that are allowed to use them):

https://bind9.readthedocs.io/en/v9.18.20/reference.html#cont...

Not sure about others.

link
icedchai 917 days ago
I wouldn't expect it to. I have plenty of RFC-1918 addresses in a subdomain of my public DNS zone for my home network. It's been that way for decades. (Perhaps I should use split DNS, but...)
link
WarOnPrivacy 917 days ago
My Unbound servers strip RFC out.

Public resolvers keep DNS answers intact because they can carry alt data like how dodgy a SMTP server is.

link