Sv: respond with fake IP for DNS rebinding hits?
Sebastian Nielsen
sebastian at sebbe.eu
Wed Nov 19 15:16:07 UTC 2025
For RBLs I have exceptions. For each RBL server, I have private-domain configured, allowing each RBL server I use, which then is whitelisted, to respond with 127.x.x.x.
However, when a mail provider configures "exists:" in their SPF with a macro, it becomes a problem because I can't anticipiate who gonna send mail to me, check their SPF if they have an "exists" and then whitelist their weird server.
Causing my DNS to trip rebind protection, return SERVFAIL and then the SPF fails with a SPF failure since the record don't "exists:". (when it really does, DNS rebind protection just swallowed the record).
Since I have regular client computers behind the same firewall, I can't just disable DNS rebind protection.
So what I want unbound to do, is to, instead of "swallowing" the response when its a "prohibited rebind response" I want it to respond with a bougus IP adress, in this way, any rebind attempts will fail, while still the "exists:" mechanism in SPF will work anyways. (since the exists: mechanism doesn't care about the IP adress).
Easiest way would be to have some rewrite mechanism, if the A record would contain 127.0.0.0/8, rewrite that to 192.0.2.123.
Does something like that exist in unbound?
-----Ursprungligt meddelande-----
Från: A. Schulze via Unbound-users <unbound-users at lists.nlnetlabs.nl>
Skickat: den 19 november 2025 15:47
Till: unbound-users at lists.nlnetlabs.nl
Ämne: Re: respond with fake IP for DNS rebinding hits?
sebastian via Unbound-users:
> I currently have an unbound server.However, with some mail providers
> using the "exists:" mechanism and returning 127.0.0.1, this
> obviously triggers a DNS rebinding protection and SERVFAIL.This
> ultimate leads to an SPF rejection.Is there any way to configure
> unbound, such as so if the rebinding protection trips, it will
> instead return a non-routeable bogus IP like "192.0.2.123"
> (documentation only) which both ensures the "exists:" mechanism
> works as intended, but also protects the localhost if a malicious
> actor were to do a rebinding attack..Im thinking of excluding
> 127.0.0.0/8 from private adress, and then use some sort of rewriting
> mechanism if this exists in unbound?
Hi,
could you describe more verbose, who ask what and why. -> full queries
RBLs use an answer 127.0.0.1 all the time. I dont's see, why this
should be a rebind attack.
Do you have a special unbound setting enabled?
Andreas
More information about the Unbound-users
mailing list