dnsmasq and External Resolution of Internal Addresses
The dnsmasq program is used on many linux computers and devices to handle DNS and DHCP. If you’re connected to the Internet through a Buffalo router of any recent vintage, you’re using dnsmasq right now unless you’ve thoroughly fiddled with the configuration, in which case you probably already know everything I’m about to write.
The —stop-dns-rebind option (or “No DNS Rebind” in the Buffalo DD-WRT GUI) throws away any DNS resolution responses from external name servers that contain IP addresses within the private address spaces. This prevents a class of attacks where bad dudes use short DNS TTL settings to make browsers give up internal network secrets. Zone administrators that publish private IP addresses within the public DNS space are usually either mistaken, dumb, or nefarious, and their results should be ignored whenever possible.
I really wrote myself into a corner with that last sentence, because I have a zone that responds with private IP addresses within the public DNS space. I am testing some fun and completely above board things with Amazon’s Route 53 service, and the quickest way to do so was to copy an internal zone from within the Freund Data Center Complex out to the cloud.
How do we fix it? If you’re using a recent version of dnsmasq, there’s a —rebind-domain-ok option that places provided domains on a white list. If your router doesn’t support that option, then you can always disable the behavior entirely.