DNSmasq & rebind

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Fri Dec 17, 2010 20:56    Post subject: DNSmasq & rebind Reply with quote
Today I wrote a script to check a bulk of IP's on a set of DNSBL (DNS blacklists). It also checks the DNS blacklist itself.

I then noticed that my script disqualified zen.spamhaus.org. That's a bit strange as this is a major blocklist which passed that same script when I ran it at work.

I then investigated it by hand by issuing this command on the command-line of my Ubuntu-server:
Code:
# host -tA 2.0.0.127.zen.spamhaus.org.
2.0.0.127.zen.spamhaus.org has no A record

I then tested it with my ISP's DNS, maybe they are doing something funny, but no it was alright, just like google's DNS
Code:
# host 2.0.0.127.zen.spamhaus.org. 213.204.195.4
Using domain server:
Name: 213.204.195.4
Address: 213.204.195.4#53
Aliases:

2.0.0.127.zen.spamhaus.org has address 127.0.0.4
2.0.0.127.zen.spamhaus.org has address 127.0.0.2
2.0.0.127.zen.spamhaus.org has address 127.0.0.10


It turned out it was my dnsmasq.
I saw some posts about 'DNS rebind', but never found time to investigate it, so I decided to 'disable No DNS rebind'

Now it's working as it should:

Code:
# host -tA 2.0.0.127.zen.spamhaus.org.
2.0.0.127.zen.spamhaus.org has address 127.0.0.10
2.0.0.127.zen.spamhaus.org has address 127.0.0.2
2.0.0.127.zen.spamhaus.org has address 127.0.0.4



What's the deal here and why isn't this the default setting? I also saw some things about exempting 127.0.0.1

Can anyone advice the optimal setting for my purpose?
Phuzion?

BTW.. here's the script:
http://www.linuxquestions.org/questions/programming-9/checking-ips-against-a-whole-lot-of-dnsbls-850922

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
Sponsor
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Dec 17, 2010 22:11    Post subject: Reply with quote
Really? Did you miss or forget about the whole DNS rebind attack last summer? Look it up.

The attack itself isn't too serious because you have to browse a site and then through rebinding they get your browser to access your WAN IP (the router in most cases) and then they have to login to the browser. This pretty much limits it to firmwares that have a default username/password which dd-wrt hasn't for 2 years.

DNS rebinding is still generally bad and leads to other attacks so it is now blocked by default. Just look at it, they're sending you loopback addresses! They could server you a web page, stop responding on their IP, and then have the page they served you try to access the machine the browser is running on.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Sat Dec 18, 2010 7:52    Post subject: Reply with quote
phuzi0n wrote:
Really? Did you miss or forget about the whole DNS rebind attack last summer? Look it up.

No, I didn't completely miss it. It has to do with DNS-poisoning by bombarding your DNS with false answers...

But I fail to see the relation with this faulty behaviour. Or is it just a dirty fix they did with dnsmasq?

I am still busy with my script (getting sucked into it). It really looks nice now. You should really take a look at it and into zabbix as well.

I think this 127.0.0.0/8 exemption may be better for me...
Phuzion, could you do some thinking for me, as my head is exploding at the moment? Wink

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Sun Dec 19, 2010 8:22    Post subject: Reply with quote
Phuzion?
_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Mon Dec 20, 2010 20:45    Post subject: Reply with quote
frater wrote:
It has to do with DNS-poisoning by bombarding your DNS with false answers...
[...]
I think this 127.0.0.0/8 exemption may be better for me...

And how are 127.0.0.0/8 addresses not false answers? They're telling you to go to your own machine and that could be used to compromise it.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Mon Dec 20, 2010 22:07    Post subject: Reply with quote
phuzi0n wrote:
frater wrote:
It has to do with DNS-poisoning by bombarding your DNS with false answers...
[...]
I think this 127.0.0.0/8 exemption may be better for me...

And how are 127.0.0.0/8 addresses not false answers? They're telling you to go to your own machine and that could be used to compromise it.
Mmmm.. you clearly don't know how DNSBL works. I'm not going anywhere with that result. DNS is just a query.

It even has an RFC http://tools.ietf.org/html/rfc5782

If you want to check if DD-WRT's website is listed on the DNSBL you take its IP (83.141.4.210) and you put the octets in reverse so you do this query:

Code:
210.4.141.83.zen.spamhaus.org.
Host 210.4.141.83.zen.spamhaus.org. not found: 3(NXDOMAIN)

This means it is not listed.

If I give a spamming IP or the test-IP 127.0.0.2, I will get this answer:
Code:
# host 2.0.0.127.zen.spamhaus.org.
2.0.0.127.zen.spamhaus.org has address 127.0.0.2
2.0.0.127.zen.spamhaus.org has address 127.0.0.4
2.0.0.127.zen.spamhaus.org has address 127.0.0.10

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Mon Dec 20, 2010 22:54    Post subject: Reply with quote
Ah, so DNSBL is a security method that's insecure by design. :lol:

It seems that instead of rebinding, a site could just send you to a domain that the DNSBL will redirect to your localhost for them.

Well one second of the DNSMasq man page turned this up.

--rebind-localhost-ok
Exempt 127.0.0.0/8 from rebinding checks. This address range is returned by realtime black hole servers, so blocking it may disable these services.

There's also the option of changing the DNS servers of the machine using DNSBL so that it will bypass DNSMasq so that you don't expose other machines to rebinding.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Tue Dec 21, 2010 6:50    Post subject: Reply with quote
phuzi0n wrote:
Ah, so DNSBL is a security method that's insecure by design. Laughing

One shouldn't underestimate the ingenuity of a good hacker, but as far as I can gather the returning of a 127.0.0.1 is only a threat for machines that are running webservices on the same machine as they are browsing. BTW... It returns 127.0.0.2 not 127.0.0.1

I think that not accepting a 127.0.0.0/8 address is just a 'symptom fix' of dnsmasq instead of the real solution which is keeping a table of IP-addresses for which it should accept queries. It only needs to listen to DNS-servers it has queried. Before it would just accept an answer coming from anywhere. A typical SOHO-router only queries 2 DNS-servers (their ISP's). That's why Bind needed an upgrade.

Bombarding a victim or their ISP's DNS-server with DNS-answers for a bank can lead them to a fake site.

But if this solution DNSmasq is using would be the right one it would mean all the DNS-servers had the same behaviour. They don't.

BTW. DNSmasq does some other strange things. If I query it with an unexisting domain without the trailing dot, it will append the local domain to it. Which is really not what I want.
Do you know how I can turn that off?

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Tue Dec 21, 2010 8:49    Post subject: Reply with quote
frater wrote:
phuzi0n wrote:
Ah, so DNSBL is a security method that's insecure by design. Laughing

One shouldn't underestimate the ingenuity of a good hacker, but as far as I can gather the returning of a 127.0.0.1 is only a threat for machines that are running webservices on the same machine as they are browsing. BTW... It returns 127.0.0.2 not 127.0.0.1

Not necessarily web services, I'm pretty sure that between flash, java, and silverlight the browser can communicate with raw data for any service. I'm not sure if there's any ways to exploit rebinding with anything other than a browser.

The entire 127.0.0.0/8 block is loopback to the localhost (so wasteful!) so it doesn't matter what the host bits are.

You lost me after that in what seems to be a mash up of DNSMasq's rebind blocking vs Bind accepting answers from anywhere which are totally different problems.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum