After this week’s attention to META and Yandex localhost abuses, it is time to revisit a core feature/option of protective DNS that offers a feel-good moment to those that applied this safety technique long before this abuse report came about.
The in-depth report that triggered this is: Disclosure: Covert Web-to-App Tracking via Localhost on Android. I will address the META approach in a separate blog article, but here I want to focus on the Yandex approach to tracking users, specifically with the intent to bypass modern privacy standards and public policy. As with the vast majority of transactions online, including non-monetary information exchanges, DNS plays a necessary role. Yandex used yandexmetrica[.]com as a way to make a localhost connection since it resolved to 127.0.0.1. Yandexmetrica literally was designed to live inside your own device.
Most modern DNS servers offer DNS Rebind Protection; some are on by default, some include 127.0.0.0/8 and 0.0.0.0, while others include only rfc1918.
There’s a long archive of discussions on the relative merits of blocking DNS to 127.0.0.1 and our perspective is from doing this to millions of endpoints successfully as evidenced by the simple result that our users, by default, were protected against this Yandex tracking effort many millions of times. According to passive DNS records, Yandex has been doing this since October 2017! At the same time, DNS rebind protection protected users against any other tracking effort that utilizes the same technique. The most common reason this protection technique has not been implemented in the past is due to its one-size-fits-all approach on traditional protective DNS resolvers, but more on that later.
In the case of adam:ONE default, the anmuscle.conf file includes this line:
private-subnets=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,192.168.0.0/16,::ffff:a00:0/104,::ffff:ac10:0/108,::ffff:a9fe:0/112,::ffff:c0a8:0/112,fd00::/8,fe80::/10
private-subnets is what we use to check against DNS answers, and if matched, that destination is re-written and effectively blocked. Consider the difference here:
unprotectedendpoin
[...]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Security Boulevard
Read the original article: