aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWarren Baker <warren@decoy.co.za>2010-12-17 19:12:12 +0200
committerWarren Baker <warren@decoy.co.za>2010-12-17 19:12:12 +0200
commitf6776caca5afceaa1a8349cca3d263c6635bf7fb (patch)
treeef9575b238fb8f78a212a56cc9b6bef66b6f3e26
parentbaed1fbf528a885c1c07bf38d1a5821f8c681828 (diff)
downloadpfsense-packages-f6776caca5afceaa1a8349cca3d263c6635bf7fb.tar.gz
pfsense-packages-f6776caca5afceaa1a8349cca3d263c6635bf7fb.tar.bz2
pfsense-packages-f6776caca5afceaa1a8349cca3d263c6635bf7fb.zip
Add DNS Rebinding check as checkbox. If any DNS answers return RFC1918 address the answer is stripped, unless the domain is configured in domainoverrides. With this option disabled all RFC1918 answers will be returned. Possibly need to break this and few other options into rowhelper type page...
-rw-r--r--config/unbound/unbound.inc28
-rw-r--r--config/unbound/unbound.xml7
2 files changed, 26 insertions, 9 deletions
diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc
index d044f739..7ba2c450 100644
--- a/config/unbound/unbound.inc
+++ b/config/unbound/unbound.inc
@@ -281,7 +281,6 @@ function unbound_resync_config() {
$host_entries = unbound_add_host_entries();
// Domain Overrides
- $private_domains = unbound_add_domain_overrides(true);
$domain_overrides = unbound_add_domain_overrides();
// Unbound Statistics
@@ -297,6 +296,24 @@ function unbound_resync_config() {
$cumulative_stats = "no";
$extended_stats = "no";
}
+
+ // Private-address support for DNS Rebinding
+ if($unbound_config['private_address'] == "on") {
+ $pvt_addr = <<<EOF
+# For DNS Rebinding prevention
+private-address: 10.0.0.0/8
+private-address: 172.16.0.0/12
+private-address: 192.168.0.0/16
+private-address: 192.254.0.0/16
+# private-address: fd00::/8
+# private-address: fe80::/10
+# Set private domains in case authorative name server returns a RFC1918 IP address
+EOF;
+
+ // Add private-domain options
+ $private_domains = unbound_add_domain_overrides(true);
+
+ }
// Set the number of threads equal to number of CPUs.
// Use 1 if for some reason this sysctl fails.
@@ -344,14 +361,7 @@ unwanted-reply-threshold: 10000000
# Networks allowed to utilize service
access-control: 127.0.0.0/8 allow
{$unbound_allowed_networks}
-# For DNS Rebinding prevention
-private-address: 10.0.0.0/8
-private-address: 172.16.0.0/12
-private-address: 192.168.0.0/16
-private-address: 192.254.0.0/16
-# private-address: fd00::/8
-# private-address: fe80::/10
-# Set private domains in case authorative name server returns a RFC1918 IP address
+{$pvt_addr}
{$private_domains}
# Host entries
diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml
index f7a851eb..43947698 100644
--- a/config/unbound/unbound.xml
+++ b/config/unbound/unbound.xml
@@ -118,6 +118,13 @@
<type>checkbox</type>
<default_value>on</default_value>
</field>
+ <field>
+ <fieldname>private_address</fieldname>
+ <fielddescr>Private Address support</fielddescr>
+ <description>With this option enabled &lt;a href="http://tools.ietf.org/html/rfc1918"&gt;RFC1918&lt;/a&gt; addresses are stripped away from DNS answers. Additionally, the DNSSEC validator may mark the answers bogus. This protects against &lt;a href="http://en.wikipedia.org/wiki/DNS_rebinding"&gt;DNS Rebinding&lt;/a&gt;. &lt;br/&gt; &lt;b&gt;Note:&lt;/b&gt; Domain Overrides and Host entries will be allowed to return answers if this option is enabled.</description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
<!--<field>
<fieldname>regdhcp</fieldname>
<fielddescr>Register DHCP leases</fielddescr>