rebind

package module
v0.0.0-...-804aa09 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 21, 2021 License: Apache-2.0 Imports: 13 Imported by: 0

README

rebind

Name

rebind - guards against DNS rebind attacks by removing answers that point to local/private IP ranges from responses.

Description

The rebind plugin helps prevent DNS rebind attacks by filtering out any local/private range IP addressed from answers before writing the response to the client.

Syntax

rebind [ZONES...] {
    except [ZONES...]
    filter [CIDRS...]
}

  • rebind ZONES... defines the ZONES that will be filtered. If ZONES is empty or not specified, the list of zones is inherited from the enclosing server block.

  • except ZONES... excludes zones listed in ZONES from rebind filtering. This should be used to prevent filtering of responses containing legitimate private IP coming from known private zones.

  • filter CIDRS... defines the list of subnet CIDRs that will be considered private/local and should be removed from answers. By default the following ranges are filtered

    • IPv6 private: fc00::/7 fec0::/10
    • IPv4 private: 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12
    • IPv6 link local: fe80::/10
    • IPv4 link local: 169.254.0.0/16
    • IPv6 loopback: ::1/128
    • IPv4 loopback: 127.0.0.0/8

    Note that when this option is used the entire default list of CIDRs above is replaced with the list of CIDRs specified in this option.

External Plugin

rebind is an external plugin, which means it is not included in CoreDNS releases. To use rebind, you'll need to build a CoreDNS image with rebind included. In a nutshell you'll need to:

  • Clone https://github.com/coredns/coredns
  • Add this plugin to plugin.cfg per instructions therein. It should be positioned after cache, but before other plugins that provide answers.
  • Then build and release to your personal github/dockerhub repos using Makefile.release and Makefile.docker.

Examples

. {
    rebind
    forward . 8.8.8.8
}

. {
    rebind . {
       except myzone
    }
    file db.myzone myzone
    forward . 8.8.8.8
}

Metrics

If used in conjunction with the prometheus plugin then the following metrics are exported:

  • coredns_rebind_answers_removed_total{server} - counter of answers renoved from responses

The server label is defined in the prometheus plugin documentation.

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ResponsesBlockedCount is the number of DNS answers removed due to .
	AnswersRemovedCount = promauto.NewCounterVec(prometheus.CounterOpts{
		Namespace: plugin.Namespace,
		Subsystem: pluginName,
		Name:      "answers_removed_total",
		Help:      "Counter of DNS answers removed by rebind",
	}, []string{"server"})
)

Functions

This section is empty.

Types

type Rebind 

type Rebind struct {
	Next plugin.Handler
	// contains filtered or unexported fields
}

Rebind performs local/private address filtering.

func (*Rebind) Name 

func (*Rebind) Name() string

Name implements the Handler interface.

func (*Rebind) ServeDNS 

func (f *Rebind) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error)

ServeDNS implements the plugin.Handler interface.

type UpstreamInt 

type UpstreamInt interface {
	Lookup(ctx context.Context, state request.Request, name string, typ uint16) (*dns.Msg, error)
}

UpstreamInt wraps the Upstream API for dependency injection during testing

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.