I currently have an unbound server.
However, with some mail providers using the “exists:” mechanism and returning 127.0.0.1, this obviously triggers a DNS rebinding protection and SERVFAIL.
This ultimate leads to an SPF rejection.
Is there any way to configure unbound, such as so if the rebinding protection trips, it will instead return a non-routeable bogus IP like “192.0.2.123” (documentation only) which both ensures the “exists:” mechanism works as intended, but also protects the localhost if a malicious actor were to do a rebinding attack..
Im thinking of excluding 127.0.0.0/8 from private adress, and then use some sort of rewriting mechanism if this exists in unbound?
sebastian via Unbound-users:
I currently have an unbound server.However, with some mail providers using the "exists:" mechanism and returning 127.0.0.1, this obviously triggers a DNS rebinding protection and SERVFAIL.This ultimate leads to an SPF rejection.Is there any way to configure unbound, such as so if the rebinding protection trips, it will instead return a non-routeable bogus IP like "192.0.2.123" (documentation only) which both ensures the "exists:" mechanism works as intended, but also protects the localhost if a malicious actor were to do a rebinding attack..Im thinking of excluding 127.0.0.0/8 from private adress, and then use some sort of rewriting mechanism if this exists in unbound?
Hi,
could you describe more verbose, who ask what and why. -> full queries
RBLs use an answer 127.0.0.1 all the time. I dont's see, why this should be a rebind attack.
Do you have a special unbound setting enabled?
Andreas
For RBLs I have exceptions. For each RBL server, I have private-domain configured, allowing each RBL server I use, which then is whitelisted, to respond with 127.x.x.x.
However, when a mail provider configures "exists:" in their SPF with a macro, it becomes a problem because I can't anticipiate who gonna send mail to me, check their SPF if they have an "exists" and then whitelist their weird server.
Causing my DNS to trip rebind protection, return SERVFAIL and then the SPF fails with a SPF failure since the record don't "exists:". (when it really does, DNS rebind protection just swallowed the record).
Since I have regular client computers behind the same firewall, I can't just disable DNS rebind protection.
So what I want unbound to do, is to, instead of "swallowing" the response when its a "prohibited rebind response" I want it to respond with a bougus IP adress, in this way, any rebind attempts will fail, while still the "exists:" mechanism in SPF will work anyways. (since the exists: mechanism doesn't care about the IP adress).
Easiest way would be to have some rewrite mechanism, if the A record would contain 127.0.0.0/8, rewrite that to 192.0.2.123.
Does something like that exist in unbound?
-----Ursprungligt meddelande-----
I've still no idea, what your problem is. Can you provide example domains with an spf record containing 'exists:' ?
Also I would like to know your "whitelist" -> can you post your unbound.conf?
Andreas
Here is a example:
goteborg.se
It has this weird "exists:%{i}.spf.hc2437-76.eu.iphmx.com" which for a valid connection translates to 127.0.0.2
Try with for example, 23.90.102.86.spf.hc2437-76.eu.iphmx.com
You can see here:
https://mxtoolbox.com/SuperTool.aspx?action=a%3A23.90.102.86.spf.hc2437-76.eu.iphmx.com&run=toolpage
This 127.0.0.2 gets caugt in the DNS rebinding filter, and then the SPF validation fails.
Here is the relevant config portion for the DNS rebinding protection:
server:
private-domain: sebbe.eu
private-domain: list.dnswl.org
private-address: 192.168.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 169.254.0.0/16
private-address: 127.0.0.0/8
private-address: 0:0:0:0:0:ffff:c0a8:0/112
private-address: 0:0:0:0:0:ffff:a00:0/104
private-address: 0:0:0:0:0:ffff:ac10:0/108
private-address: 0:0:0:0:0:ffff:a9fe:0/112
private-address: 0:0:0:0:0:ffff:7f00:0/104
private-address: ::1/128
private-address: fd00::/8
private-address: fe80::/10
The "private-domain" whitelists certain DNS servers to respond with a private-address.
So list.dnswl.org and sebbe.eu is permitted to respond with any adress listed as private-address.
Any other server responding with a IP listed as private-address is blocked.
Now I would want to, instead of blocking the 127.0.0.0/8 responses, respond with a bougus IP like "192.0.2.123" which is a IP reserved for documentation (TESTNET) which is unrouteable both in LAN enviroments, Localhost enviroment and also on the internet.
Thus, providing a record so the IP "exists:" but still protects any clients behind the same firewall from DNS rebinding attacks.
-----Ursprungligt meddelande-----
Now I understand your setup.
man (5) unbound.conf say
private-address:
... We consider to enable this for the RFC1918 private IP address space by default in later releases ...
I assume, "private-address" setting is not set by default for good reasons and the unbound developer
didn't changed that default till today.
I see the value of rebind protection a systems, used by humans.
But a mail server is an other use-case.
One way to solve your issue is to run two resolver instances. One for servers and one for end-user systems,
only the later configured with "private-address".
Andreas
Correct, I have manually set up the DNS rebinding protection feature, to increase security.
Is there any way to rewrite all 127.0.0.0/8 responses to a custom IP? Suspect there is some rewrite module or similiar that can replace responses right?
Mail server and LAN clients are behind the same firewall, thats why I need rebinding protection. Could move the mailserver off the LAN to a separate net, but requires pulling a long new patch cable.
-----Ursprungligt meddelande-----