Sv: Sv: Sv: respond with fake IP for DNS rebinding hits?
Sebastian Nielsen
sebastian at sebbe.eu
Wed Nov 19 19:03:00 UTC 2025
Correct, I have manually set up the DNS rebinding protection feature, to increase security.
Is there any way to rewrite all 127.0.0.0/8 responses to a custom IP? Suspect there is some rewrite module or similiar that can replace responses right?
Mail server and LAN clients are behind the same firewall, thats why I need rebinding protection. Could move the mailserver off the LAN to a separate net, but requires pulling a long new patch cable.
-----Ursprungligt meddelande-----
Från: A.Schulze via Unbound-users <unbound-users at lists.nlnetlabs.nl>
Skickat: den 19 november 2025 19:38
Till: unbound-users at lists.nlnetlabs.nl
Ämne: Re: Sv: Sv: respond with fake IP for DNS rebinding hits?
Am 19.11.25 um 18:29 schrieb Sebastian Nielsen via Unbound-users:
> Here is a example:
> goteborg.se
> It has this weird "exists:%{i}.spf.hc2437-76.eu.iphmx.com" which for a valid connection translates to 127.0.0.2
>
> Try with for example, 23.90.102.86.spf.hc2437-76.eu.iphmx.com
>
> You can see here:
> https://mxtoolbox.com/SuperTool.aspx?action=a%3a23.90.102.86.spf.hc2437-76.eu.iphmx.com&run=toolpage
> This 127.0.0.2 gets caugt in the DNS rebinding filter, and then the SPF validation fails.
Now I understand your setup.
man (5) unbound.conf say
private-address:
... We consider to enable this for the RFC1918 private IP address space by default in later releases ...
I assume, "private-address" setting is not set by default for good reasons and the unbound developer
didn't changed that default till today.
I see the value of rebind protection a systems, used by humans.
But a mail server is an other use-case.
One way to solve your issue is to run two resolver instances. One for servers and one for end-user systems,
only the later configured with "private-address".
Andreas
More information about the Unbound-users
mailing list