> > First, I think downright denying "private IP addresses" from DNS responses > is very hard and is doomed to break the web experience for a set of users > who use private/local DNSes etc. >
Yes, I concur. Lets not block them outright, but rather only in the instance that a domain name that previously resolved for a public IP is now resolving for a private one. I haven't taken a look at the browser's DNS caching code but I suspect that you are correct that we would need to maintain a separate cache specifically for the purpose of protecting against this malicious rebinding behavior. Depening on how long we'd want to cache the local-ip-banned host name, it > could mean quite a lot of memory... How long would a sensible time be > anyway? > We could maintain this cache based on time, but perhaps a better method would be to instead tie cache entries with browser windows/tabs and the web workers and iframes that they include. Once a domain name has been resolved to a public IP from a web page via HTML or JavaScript, or the child pages and workers that web page spawns, that domain name should never be permitted to resolve to a private IP. These cache entries could then be purged when a web page is closed instead of trying to heuristically choose an appropriate lifetime in seconds. PGP Public Key <https://keybase.io/brannondorsey/pgp_keys.asc> https://brannon.online <http://brannondorsey.com> @brannondorsey <https://twitter.com/brannondorsey> On Tue, Jun 26, 2018 at 4:25 PM, Daniel Stenberg <dan...@haxx.se> wrote: > On Mon, 25 Jun 2018, Brannon Dorsey wrote: > > Users can protect themselves from this type of attack by using a DNS >> resolver that filters out private IP addresses from public DNS responses. >> OpenDNS and dd-wrt can both provide this functionality if configured >> properly, but my question is, *why not block this type of illegitimate and >> dangerous DNS behavior at the browser level?* >> >> I'm interested in discussing the possibility of providing protection >> against DNS rebinding in the Firefox browser itself. As far as I see it, a >> domain name should never be allowed to respond with a private IP address >> moments after it first responded with a public IP address. >> > > First, I think downright denying "private IP addresses" from DNS responses > is very hard and is doomed to break the web experience for a set of users > who use private/local DNSes etc. > > Refusing private addresses for a host name that "recently" returned > non-private ones seems like it perhaps could be doable, but would introduce > an interesting caching challenge since we'd need to keep the "local IP ban" > around on a per host name basis for a period of time after each host was > resolved (with non-local addresses) and the cache would have to be kept > idependent of the regular DNS cache. Depening on how long we'd want to > cache the local-ip-banned host name, it could mean quite a lot of memory... > How long would a sensible time be anyway? > > As a side-note: we already deny RFC1918-addresses from DNS-over-HTTPS > responses so in that regard, using TRR will save you from these DNS attacks! > > -- > > / daniel.haxx.se > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
