Sv: Sv: respond with fake IP for DNS rebinding hits?

Sebastian Nielsen sebastian at sebbe.eu
Wed Nov 19 17:29:14 UTC 2025 

Here is a example:
goteborg.se
It has this weird "exists:%{i}.spf.hc2437-76.eu.iphmx.com" which for a valid connection translates to 127.0.0.2

Try with for example, 23.90.102.86.spf.hc2437-76.eu.iphmx.com

You can see here:
https://mxtoolbox.com/SuperTool.aspx?action=a%3a23.90.102.86.spf.hc2437-76.eu.iphmx.com&run=toolpage
This 127.0.0.2 gets caugt in the DNS rebinding filter, and then the SPF validation fails.


Here is the relevant config portion for the DNS rebinding protection:

server:
private-domain: sebbe.eu
private-domain: list.dnswl.org
private-address: 192.168.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 169.254.0.0/16
private-address: 127.0.0.0/8
private-address: 0:0:0:0:0:ffff:c0a8:0/112
private-address: 0:0:0:0:0:ffff:a00:0/104
private-address: 0:0:0:0:0:ffff:ac10:0/108
private-address: 0:0:0:0:0:ffff:a9fe:0/112
private-address: 0:0:0:0:0:ffff:7f00:0/104
private-address: ::1/128
private-address: fd00::/8
private-address: fe80::/10


The "private-domain" whitelists certain DNS servers to respond with a private-address.
So list.dnswl.org and sebbe.eu is permitted to respond with any adress listed as private-address.
Any other server responding with a IP listed as private-address is blocked.


Now I would want to, instead of blocking the 127.0.0.0/8 responses, respond with a bougus IP like "192.0.2.123" which is a IP reserved for documentation (TESTNET) which is unrouteable both in LAN enviroments, Localhost enviroment and also on the internet.

Thus, providing a record so the IP "exists:" but still protects any clients behind the same firewall from DNS rebinding attacks.


-----Ursprungligt meddelande-----
Från: A.Schulze via Unbound-users <unbound-users at lists.nlnetlabs.nl> 
Skickat: den 19 november 2025 18:19
Till: unbound-users at lists.nlnetlabs.nl
Ämne: Re: Sv: respond with fake IP for DNS rebinding hits?



Am 19.11.25 um 16:16 schrieb Sebastian Nielsen via Unbound-users:
> For RBLs I have exceptions. For each RBL server, I have private-domain configured, allowing each RBL server I use, which then is whitelisted, to respond with 127.x.x.x.

I've still no idea, what your problem is. Can you provide example domains with an spf record containing 'exists:' ?
Also I would like to know your "whitelist" -> can you post your unbound.conf?

Andreas

More information about the Unbound-users mailing list