Disabling DNS Rebinding Protection in Unbound

[TopherIsSwell]

tldr: I'm trying to allow Unbound to resolve 10/8 IP Addresses for public domains. Does anyone know how the unbound config is generated in OPNSense?

Using:
OPNsense 22.1.9_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1o 3 May 2022

I prefer to have my DNS records authoritative and I hate having spoofed records on the local LAN to return private IP address. Thus I publish private IP addresses in A records on public domains. I'm perfectly willing to hear arguments on why you think this is a terrible idea, but please point to some viable attack chain instead of just telling me it's bad because you read it on a blog somewhere. I realize there are risks as it sets the precedent for a rebinding attack, but this is a risk I'm willing to accept in exchange for administration simplicity and not compromising DNSSEC.

There doesn't seem to be a setting in the web UI, so I commented out the following lines in `/var/unbound/unbound.conf`:

Code Select Expand

private-address: 10.0.0.0/8

this works, however, when unbound is reloaded by OPNSense (after an update, reboot, or clicking the reload button in the web UI), the config file is rebuilt from scratch, blowing away my local changes. I'm wondering where/how this config is generated so I can edit the template process to allow private IP resolution.

Currently, I just have a hack of marking the config immutable, but this seems this will bite me in the butt some day. Any ideas? Or Interest in making this configurable upstream?

[Patrick M. Hausen]

I can look into that and submit a pull request. Looks like it should be configurable. Also I'm interested how OPNsense currently implements this. Simply assuming "internal" == RFC 1918 addresses is just plain wrong. There are many scenarios where internal, even NATed addresses come from global unicast address space. If done correctly, OPNsense would need to pick up whatever you have on !WAN interfaces.

[TopherIsSwell]

Thank you, pmhausen. I appreciate you looking into this.

[RedVortex]

I have a similar need to allow Starlink stats page and Dishy control to work properly since they do something like this

Code Select Expand

; <<>> DiG 9.18.5 <<>> dishy.starlink.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20484
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dishy.starlink.com. IN A

;; ANSWER SECTION:
dishy.starlink.com. 474 IN A 192.168.100.1

;; Query time: 2 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Wed Aug 17 19:32:00 EDT 2022
;; MSG SIZE  rcvd: 63

Since there is no override anymore we cannot allow private-address manually.

Ideally, I would like something in the UI that allows me to either put a range of private address or put a domain name that is allowed to bypass rebind checks.

For now I bypass this by using: Services: Unbound DNS: Overrides and then Domain overrides and I put dishy.starlink.com in there with 8.8.8.8 and this bypasses the rebind checks. I would rather not have to put the DNS server and let it query any DNS server and just allow for a private ip address reply to be accepted for this particular domain name. But at least, it works for now.

[Patrick M. Hausen]

You can still add custom configuration to Unbound in a supported way:
https://docs.opnsense.org/manual/unbound.html#advanced-configurations

[tuto2]

The answer to this is a bit hidden, I plan to work on moving this soon as part of a larger set of changes.

In Unbound -> Blocklists, there is the option to set private-domains and insecure-domains. These do not apply only to blocklists and are global instead. Make sure you manually restart Unbound after Downloading & Applying.

Cheers,
Stephan

[tuto2]

context: https://github.com/opnsense/core/issues/5256

[TopherIsSwell]

So additional update.

You can still add custom configuration to Unbound in a supported way:
https://docs.opnsense.org/manual/unbound.html#advanced-configurations

I can't (to my knowledge) use this facility to cancel out the line `private-address: 10.0.0.0/8` And this line is always added (addendum below).

In Unbound -> Blocklists, there is the option to set private-domains and insecure-domains. These do not apply only to blocklists and are global instead. Make sure you manually restart Unbound after Downloading & Applying.

This didn't work for me, because the list of domains to allow-list are numerous, ~300 that I know of but more come and go daily. What I need is to allow-list the private IP range that they resolve to (10.0.0.0/8 in my case)

...

So, I found that the line in question is generated from this file: /usr/local/etc/inc/plugins.inc.d/unbound.inc
For a short time, I change this and marked it immutable, but updating the unbound service wants to update this file (and I probably want to allow that). So, now I think I've tracked down that the php includes that block of configuration when this is true:

Code Select Expand

if (!isset($config['system']['webgui']['nodnsrebindcheck']))

So I edited `/usr/local/etc/config.xml` (which I _think_ is the correct place) and added a `nodnsrebindcheck` attribute under system.webgui (see attachment for context). I restarted the webgui and unbound (in that order), but no love. Either this is the wrong place to configure this or restarting the webgui doesn't bounce (or reload) the PHP service. I'll test a full restart of the box in the next downtime window to see if this works. But if anyone knows where `$config['system']['webgui']['nodnsrebindcheck']` comes from and where I can configure it persistently, I would trade good vibes for that information.

Cheers,
Christopher

[tuto2]

But if anyone knows where `$config['system']['webgui']['nodnsrebindcheck']` comes from and where I can configure it persistently, I would trade good vibes for that information.

Well consider donating some good vibes: System -> Settings -> Administration -> DNS rebind check.

I suppose you're aware of the potential consequences of checking this button? :)

Cheers,
Stephan