I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1475605 to capture this issue and (most of) this discussion.
On Tue, Jun 26, 2018 at 5:17 PM, Brannon Dorsey <bran...@brannondorsey.com> wrote: > > > > First, I think downright denying "private IP addresses" from DNS > responses > > is very hard and is doomed to break the web experience for a set of users > > who use private/local DNSes etc. > > > > Yes, I concur. Lets not block them outright, but rather only in the > instance that a domain name that previously resolved for a public IP is now > resolving for a private one. > > I haven't taken a look at the browser's DNS caching code but I suspect that > you are correct that we would need to maintain a separate cache > specifically for the purpose of protecting against this malicious rebinding > behavior. > > Depening on how long we'd want to cache the local-ip-banned host name, it > > could mean quite a lot of memory... How long would a sensible time be > > anyway? > > > > We could maintain this cache based on time, but perhaps a better method > would be to instead tie cache entries with browser windows/tabs and the web > workers and iframes that they include. Once a domain name has been resolved > to a public IP from a web page via HTML or JavaScript, or the child pages > and workers that web page spawns, that domain name should never be > permitted to resolve to a private IP. These cache entries could then be > purged when a web page is closed instead of trying to heuristically choose > an appropriate lifetime in seconds. > > PGP Public Key <https://keybase.io/brannondorsey/pgp_keys.asc> > https://brannon.online <http://brannondorsey.com> > @brannondorsey <https://twitter.com/brannondorsey> > > On Tue, Jun 26, 2018 at 4:25 PM, Daniel Stenberg <dan...@haxx.se> wrote: > > > On Mon, 25 Jun 2018, Brannon Dorsey wrote: > > > > Users can protect themselves from this type of attack by using a DNS > >> resolver that filters out private IP addresses from public DNS > responses. > >> OpenDNS and dd-wrt can both provide this functionality if configured > >> properly, but my question is, *why not block this type of illegitimate > and > >> dangerous DNS behavior at the browser level?* > >> > >> I'm interested in discussing the possibility of providing protection > >> against DNS rebinding in the Firefox browser itself. As far as I see > it, a > >> domain name should never be allowed to respond with a private IP address > >> moments after it first responded with a public IP address. > >> > > > > First, I think downright denying "private IP addresses" from DNS > responses > > is very hard and is doomed to break the web experience for a set of users > > who use private/local DNSes etc. > > > > Refusing private addresses for a host name that "recently" returned > > non-private ones seems like it perhaps could be doable, but would > introduce > > an interesting caching challenge since we'd need to keep the "local IP > ban" > > around on a per host name basis for a period of time after each host was > > resolved (with non-local addresses) and the cache would have to be kept > > idependent of the regular DNS cache. Depening on how long we'd want to > > cache the local-ip-banned host name, it could mean quite a lot of > memory... > > How long would a sensible time be anyway? > > > > As a side-note: we already deny RFC1918-addresses from DNS-over-HTTPS > > responses so in that regard, using TRR will save you from these DNS > attacks! > > > > -- > > > > / daniel.haxx.se > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
