dnsmasq: stop dns-rebind attacks
Hi, in this years Black Hat conference, Craig Heffner will show an attack against many home routers which is based on DNS rebinding. This article shows you, how to disable it on dnsmasq.
DNS rebinding is based on the following scheme (thanks to Mitternachtshacking - article in german):
-
Webbrowser loads page with flash from server www.mydomain.com
DNS for www.mydomain.com is: 212.18.45.xx with TTL=1
-
Webbroswer loads xmlsocket-policy from server www.mydomain.com, which allows port 22
DNS for www.mydomain.com is: 212.18.45.xx with TTL=1
-
Flash which runs in webbrowser opens a connection to www.mydomain.com:22
DNS for www.mydomain.com is: 192.168.1.1 with TTL=1
Everything runs under the same-origin-policy.
To prevent dnsmasq from accepting this, just add the following to the dnsmasq commandline:
--stop-dns-rebind
With Debian Lenny, you just need to add this line in the file /etc/default/dnsmasq:
DNSMASQ_OPTS="--stop-dns-rebind"
Bye, Sven