I use my Ubuntu 14.04 and 16.04 notebooks for development purposes and regularily run various servers (e.g. web servers) on a network address not otherwise accessible from the internet.
How do I avoid still exposing such servers to the world via my web browsers, in case someone rebinds his domain name to a private IP?
The attack is further described in https://en.wikipedia.org/wiki/DNS_rebinding
Ubuntu defaults to
dnsmasqas a caching DNS server.You can check if you are affected (some dns servers have such protection enabled by default, so via your current connection you might already be safe)
Installing dnsmasq will automatically setup your /etc/resolv.conf to point all name resolution to the local dnsmasq instance.
The option to reject private IPs from upstream servers can easily be added:
Do not forget to restart the DNS server after changing options:
Test configuration as above, no 127.0.0.0/8 answer should be returned.
Refer to the dnsmasq manual in case your machine for any reason actually needs to query RBLs (such as the one referred in the test above) - partial exemptions from the protection are possible.