github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #759] DNS Rebinding protection? #511

New issue

Closed

opened 2026-05-05 06:01:20 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented

2026-05-05 06:01:20 -06:00

Owner

Originally created by @TobiX on GitHub (Sep 2, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/759

Since it came up again recently (http://bouk.co/blog/hacking-developers/), would it be possible to provide DNS rebinding protection (basically deny access to 127.0.0.1 or kill "suspicious" DNS responses) by default in the browser profiles? Or would that break too many legitimate usecases?

Originally created by @TobiX on GitHub (Sep 2, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/759 Since it came up again recently (http://bouk.co/blog/hacking-developers/), would it be possible to provide DNS rebinding protection (basically deny access to 127.0.0.1 or kill "suspicious" DNS responses) by default in the browser profiles? Or would that break too many legitimate usecases?

gitea-mirror

2026-05-05 06:01:20 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:01:26 -06:00

Author

Owner

@manevich commented on GitHub (Sep 2, 2016):

I think --net=eth0 option is what you need.

@manevich commented on GitHub (Sep 2, 2016): I think `--net=eth0` option is what you need.

gitea-mirror commented

2026-05-05 06:01:30 -06:00

Author

Owner

@manevich commented on GitHub (Sep 2, 2016):

Adding this by as default may be difficult, though.
Local proxies, DNS servers, CUPS web interface, etc will be affected.

@manevich commented on GitHub (Sep 2, 2016): Adding this by as default may be difficult, though. Local proxies, DNS servers, CUPS web interface, etc will be affected.

gitea-mirror commented

2026-05-05 06:01:32 -06:00

Author

Owner

@TobiX commented on GitHub (Sep 2, 2016):

I just realized that dnsmasq has --stop-dns-rebind, which rejects "local" IPs from upstream name servers. Basically my second idea... Now how to get this into default resolvers?

I just realized that DNSBL return 127.0.0.x too, so blocking DNS responses for that will break DNSBL :(

@TobiX commented on GitHub (Sep 2, 2016): I just realized that dnsmasq has --stop-dns-rebind, which rejects "local" IPs from upstream name servers. Basically my second idea... Now how to get this into default resolvers? I just realized that DNSBL return 127.0.0.x too, so blocking DNS responses for that will break DNSBL :(

gitea-mirror commented

2026-05-05 06:01:35 -06:00

Author

Owner

@manevich commented on GitHub (Sep 2, 2016):

--netfilter option of firejail can be used to selectively block access to local IPs/ports.
Block ports browser never need connect to, leaving access to local services user may want access from browser.
While this is not complete protection this can reduce exposure, and may be acceptable in default profile.
I am wrong here, --netfilter is only for new network namespaces.

@manevich commented on GitHub (Sep 2, 2016): ~~`--netfilter` option of firejail can be used to selectively block access to local IPs/ports. Block ports browser never need connect to, leaving access to local services user may want access from browser. While this is not complete protection this can reduce exposure, and may be acceptable in default profile.~~ I am wrong here, `--netfilter` is only for new network namespaces.

gitea-mirror commented

2026-05-05 06:01:37 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 3, 2016):

What happens if you pin down the DNS setting, something like "firejail --dns=8.8.8.8 firefox". In this case 8.8.8.8 goes directly in /etc/resolv.conf. Will firefox still do the rebinding?

@netblue30 commented on GitHub (Sep 3, 2016): What happens if you pin down the DNS setting, something like "firejail --dns=8.8.8.8 firefox". In this case 8.8.8.8 goes directly in /etc/resolv.conf. Will firefox still do the rebinding?

gitea-mirror commented

2026-05-05 06:01:39 -06:00

Author

Owner

@manevich commented on GitHub (Sep 3, 2016):

This depends on configuration of DNS server.
Server may be configured to block private addresses (see comment of @TobiX on dnsmasq, for example).
But as 127.0.0.0/8 addresses are returned by DNSBL servers, it seems very unlikely that mainstream DNS servers will employ such protection.

@manevich commented on GitHub (Sep 3, 2016): This depends on configuration of DNS server. Server may be configured to block private addresses (see [comment](https://github.com/netblue30/firejail/issues/759#issuecomment-244462702) of @TobiX on dnsmasq, for example). But as 127.0.0.0/8 addresses are returned by DNSBL servers, it seems very unlikely that mainstream DNS servers will employ such protection.

gitea-mirror commented

2026-05-05 06:01:40 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Sep 30, 2018):

This seems like something that should be addressed on the DNS server end, not firejail? On the firejail end, I think using a new network namespace is the right way to do this, but as @manevich said, this will break too many usecases. A proper solution should be implemented on the DNS server end, so I'm going to close this.

@chiraag-nataraj commented on GitHub (Sep 30, 2018): This seems like something that should be addressed on the DNS server end, not firejail? On the `firejail` end, I think using a new network namespace is the right way to do this, but as @manevich said, this will break too many usecases. A proper solution should be implemented on the DNS server end, so I'm going to close this.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#511

No description provided.

Rows
Columns