[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Andrew White <andywhite at gmail dot com>
 Cc:  Scott Ullrich <sullrich at gmail dot com>, m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Re: [m0n0wall-commits] r397 - in branches/freebsd6: . phpconf/inc webgui
 Date:  Wed, 25 Aug 2010 15:37:53 -0400
On Wed, Aug 25, 2010 at 5:27 AM, Andrew White <andywhite at gmail dot com> wrote:
> I looked at extending domain overrides into dnsmasq exclusions for rebind
> checks, and as indicated, this was added in 2.53 and ISC lease file
> inclusion was removed in 2.46 of dnsmasq , so there there would have to be a
> drop of the ISC inclusion or some non trivial patching of dnsmasq.

Someone wrote something to replace that functionality that I believe
you could easily port. I'm not familiar with it at all though, and
don't remember who wrote it. It's not a patch to dnsmasq. Maybe Scott
knows more about that and can chip in. You may be able to find it
pretty easily by grepping and browsing the source.

> When you say
> On some things we warn the user that it might be a dns rebind and on the
> other checks
> we downright prevent the page from rendering with an error.
> Can you give me more detail, is this something we could port to m0n0wall
> easily ?

If accessing by a hostname that is not known to the system (it is not
the system's configured hostname, is not any configured dynamic DNS
hostnames, and is not any of the user-defined hostnames in an
additional field under System>Advanced), then the request is denied
and the user is given a screen showing a potential DNS rebinding
attack was detected. In that case you have to access by IP to get in,
or a known hostname.

The second bit is if accessing by an IP address that is not a locally
configured IP (any interface's IP, or any configured virtual IP), the
login page shows a warning that it is not a local IP and if the user
did not configure this forwarding they could be seeing a man in the
middle attack. That isn't specific to DNS rebinding, but is a good
check to have. That one is more difficult with m0n0wall as it uses
HTTP basic auth, these checks were added to pfSense 2.0 which uses
session auth where it can easily display a warning on the login
screen. In that case, login is still permitted, it's just a warning.

If you `git clone http://gitweb.pfsense.org/pfsense/mainline.git` and
`grep -ri rebind` you'll see where that is implemented. It's mostly in
etc/inc/auth.inc and etc/inc/authgui.inc, aside from the
user-configuration bits in the web interface. Those additional pieces
may be harder to implement in m0n0wall because of the HTTP basic auth,
as it's not as easy to display an error or warning to the user.