Hi, maybe @vcunat here can help. Does kresd support in the standard configuration in Turris OS the rebind protection? I tried the simple test on this wiki Filters · DNSCrypt/dnscrypt-proxy Wiki · GitHub and kresd correctly resolves all the domains that should be blocked.
It’s not enabled by default.
Why: my understanding is that the related attacks are rather exploiting issues in web security than being a DNS problem in itself. Also, there are use cases where such addresses are used for signalling and blocking them would cause issues.
How: add a single line
modules.load('rebinding < iterate') to kresd config. If you don’t have custom config yet, here’s how: DNS tricks for Omnia and MOX (i.e. kresd) [Turris wiki]