Bugzilla – Bug 1166
Use cname to bypass private-address/private-domain enforcement
Last modified: 2016-11-30 20:42:18 CET
Hello, If I have unbound configured with the following options: private-address: 10.0.0.0/8 private-domain: "privatedomain.com" Then private-address resolution with "privatedomain.com" is enforced properly. eg, $ host vault.privatedomain.com vault.privatedomain.com A 10.0.0.1 But attacker submitted lookups will bypass the DNS Rebinding protection. eg, $ host www.baddomain.org www.baddomain.org CNAME vault.privatedomain.com vault.privatedomain.com A 10.0.0.1
Hi Kbudhram, Yes CNAMEs can change the name to another one and then bypass the localzone filter. This is part of the design and not something I can fix for you. Unbound first checks for the localzone filters, and once that is done it works on the internetfacing resolution. That part then has a CNAME, but no longer has the localzone filters, so it gets the answer from the internet. Best regards, Wouter
Hi Wouter, We see the problem when the internetfacing resolution comes back, and the CNAME switches to a lookup on an internal stubzone. I understand that iter_priv methods only look at the currently handled packet, and not any of the history for the request, so the bypass succeeds. Is it worthwhile to block resolution at the CNAME lookup, if it would resolve to a private-domain zone record? eg, $ host www.baddomain.org www.baddomain.org NXDOMAIN