Show Posts
1
General Discussion / Disabling DNS Rebinding Protection in Unbound
« on: July 01, 2022, 10:16:22 pm »
tldr: I'm trying to allow Unbound to resolve 10/8 IP Addresses for public domains. Does anyone know how the unbound config is generated in OPNSense?
Using:
OPNsense 22.1.9_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1o 3 May 2022
I prefer to have my DNS records authoritative and I hate having spoofed records on the local LAN to return private IP address. Thus I publish private IP addresses in A records on public domains. I'm perfectly willing to hear arguments on why you think this is a terrible idea, but please point to some viable attack chain instead of just telling me it's bad because you read it on a blog somewhere. I realize there are risks as it sets the precedent for a rebinding attack, but this is a risk I'm willing to accept in exchange for administration simplicity and not compromising DNSSEC.
There doesn't seem to be a setting in the web UI, so I commented out the following lines in `/var/unbound/unbound.conf`:
this works, however, when unbound is reloaded by OPNSense (after an update, reboot, or clicking the reload button in the web UI), the config file is rebuilt from scratch, blowing away my local changes. I'm wondering where/how this config is generated so I can edit the template process to allow private IP resolution.
Currently, I just have a hack of marking the config immutable, but this seems this will bite me in the butt some day. Any ideas? Or Interest in making this configurable upstream?
Using:
OPNsense 22.1.9_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1o 3 May 2022
I prefer to have my DNS records authoritative and I hate having spoofed records on the local LAN to return private IP address. Thus I publish private IP addresses in A records on public domains. I'm perfectly willing to hear arguments on why you think this is a terrible idea, but please point to some viable attack chain instead of just telling me it's bad because you read it on a blog somewhere. I realize there are risks as it sets the precedent for a rebinding attack, but this is a risk I'm willing to accept in exchange for administration simplicity and not compromising DNSSEC.
There doesn't seem to be a setting in the web UI, so I commented out the following lines in `/var/unbound/unbound.conf`:
Code: [Select]
private-address: 10.0.0.0/8this works, however, when unbound is reloaded by OPNSense (after an update, reboot, or clicking the reload button in the web UI), the config file is rebuilt from scratch, blowing away my local changes. I'm wondering where/how this config is generated so I can edit the template process to allow private IP resolution.
Currently, I just have a hack of marking the config immutable, but this seems this will bite me in the butt some day. Any ideas? Or Interest in making this configurable upstream?