DNS rebind protection

Posted July 26, 2018 by David Redekop to DNS Security

The green circle is what you’re looking for on your local DNS server on your LAN. Then, and only then, according to GRC DNS benchmark freeware, do you pass the test of private IPs being stripped from public DNS queries. As of DNSthingy build 1916 and above, this behaviour is now the default.

This is important because it’s a security strategy to mitigate DNS rebinding attacks that are making the rounds to get into private IPv4 networks which are often presumed to be protected from the public internet.

Steve Gibson on Security Now Episode #673 (show notes PDF) had great coverage on the DNS rebinding attack, after already having covered it in episode #260.

A setting is available in pfSense that is used to enable this setting in the pfSense UI (2.3+) under System -> Advanced:

As long as that box is unchecked as shown in the screenshot, it will trigger build 1916 and onwards to block RFC1918 private addresses (10.0.0.0/24, 172.16/12, 192.168/16) + 169.254/16 subnets as well as IPv6 link-local and the applicable area of NAT64 space. Note that this is also the behaviour with pfSense default DNS resolver (unbound).

On other platforms (ClearOS, ASUS) this behaviour is default as well, starting with Build 1916 and onwards.

To check your build, log into your dashboard -> Router -> rest your mouse over your “Running” version to display your build number as shown here.

The qualifying build is available on pfSense Rapid Release Channel as of 27 July 2018 and will be deployed automatically on other platforms. Keep enjoying your peace of mind!