When DNS rebinding protection is enabled in the UI, you have configured DNSmasq with a —rebind-localhost-ok switch which allows a DNS server on the internet to respond with 127.0.0.1. This is a security risk because it could allow a website to attack the local machine via scripting.
I am thinking that this option should either be A) left out, or B) optional in the UI. What are your thoughts?
P.S. - A user workaround for this vulnerability is to:
1) Disable (uncheck) rebinding protection in the UI
2) Add "stop-dns-rebind" to custom Dnsmasq configuration
Now the user is protected from IPv4 DNS rebinding localhost.
(Verify you get a blue outer ring with GRC's DNSBench utility http://www.grc.com/dns/benchmark.htm )