respond with fake IP for DNS rebinding hits?
A. Schulze
sca at andreasschulze.de
Wed Nov 19 14:45:18 UTC 2025
sebastian via Unbound-users:
> I currently have an unbound server.However, with some mail providers
> using the "exists:" mechanism and returning 127.0.0.1, this
> obviously triggers a DNS rebinding protection and SERVFAIL.This
> ultimate leads to an SPF rejection.Is there any way to configure
> unbound, such as so if the rebinding protection trips, it will
> instead return a non-routeable bogus IP like "192.0.2.123"
> (documentation only) which both ensures the "exists:" mechanism
> works as intended, but also protects the localhost if a malicious
> actor were to do a rebinding attack..Im thinking of excluding
> 127.0.0.0/8 from private adress, and then use some sort of rewriting
> mechanism if this exists in unbound?
Hi,
could you describe more verbose, who ask what and why. -> full queries
RBLs use an answer 127.0.0.1 all the time. I dont's see, why this
should be a rebind attack.
Do you have a special unbound setting enabled?
Andreas
More information about the Unbound-users
mailing list