Sunday, October 21 2007
here is a patch for Dnsmasq (the very popular DHCP server and DNS forwarder and cache) that will prevent DNS
rebinding attacks against private networks (192.168,10.,...). The patch basically adds a filter to the forward
resolver of Dnsmasq. The filter will basically drop all private IP addresses contained in answers. Of course this
will not prevent a rebinding attack against other IP ranges like if your local network uses some public IP range.
But since Dnsmasq is mainly used for home Cable/DSL routers (like the OpenWRT-based routers) this patch should
offer sufficient protection.
dnsmasq_stopdnsrebind.patch (for dnsmasq 2.40)
To activate the DNS rebinding protection add --stop-dns-rebinding to the dnsmasq command line.
I made it a command line option since dnsmasq is also used as a DNS cache on clients (e.g. Nokia N800) and
you still want to be able to resolve local IP addresses.
Feedback is welcome!