On Mon, 25 Jun 2018, Brannon Dorsey wrote:
Users can protect themselves from this type of attack by using a DNS
resolver that filters out private IP addresses from public DNS responses.
OpenDNS and dd-wrt can both provide this functionality if configured
properly, but my question is, *why not block this type of illegitimate and
dangerous DNS behavior at the browser level?*
I'm interested in discussing the possibility of providing protection against
DNS rebinding in the Firefox browser itself. As far as I see it, a domain
name should never be allowed to respond with a private IP address moments
after it first responded with a public IP address.
First, I think downright denying "private IP addresses" from DNS responses is
very hard and is doomed to break the web experience for a set of users who use
private/local DNSes etc.
Refusing private addresses for a host name that "recently" returned
non-private ones seems like it perhaps could be doable, but would introduce an
interesting caching challenge since we'd need to keep the "local IP ban"
around on a per host name basis for a period of time after each host was
resolved (with non-local addresses) and the cache would have to be kept
idependent of the regular DNS cache. Depening on how long we'd want to cache
the local-ip-banned host name, it could mean quite a lot of memory... How long
would a sensible time be anyway?
As a side-note: we already deny RFC1918-addresses from DNS-over-HTTPS
responses so in that regard, using TRR will save you from these DNS attacks!
--
/ daniel.haxx.se
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
