Yeah, if you don't want to lose the protection provided by a firewall, then all you have to do is avoid running any web browsers on any devices on the LAN...
This should be a huge scandal. For some reason we tend to give browsers a free pass when it comes to security.
Speaking of rebinding attacks... does anyone know why cloudflare's 1.1.1.1 resolver doesn't enforce this? It's the only "big" public one I know of that happily resolves RFC1918 IPs.
That's a terrible idea. For one, RFC1918 addresses are perfectly fine IP addresses, and as such are perfectly fine to put into DNS, but also, if your security depends on this, you are not secure, because rebinding attacks work just as well with non-RFC1918 addresses if that's what you happen to be using on your local network, so devices and software have to be secured against rebinding attacks with a non-filtering DNS anyway.
Plus, it just breaks things. More than once have I had the problem of trying to serve files to other devices on a LAN I was visiting, only for their idiotic local resolver to helpfully refuse resolving the host name of my laptop because, oh surprise, it resolved to an address on that LAN!
Probably because things would break in subtle and confusing ways if they did.
E.g. you have a build server and chose to use live DNS to point at it artifacts on an internal network because it was simpler to just edit a single zone file.
Nope, it would be pretty straightforward to set up a stateful dns server that serves the "real" ip on first request from a new client, and then ever subsequent request returns a local IP. That one dns server would enable an attack on anyone who visits the malicious site.
For what it's worth, DNS rebinding attacks are commonly used against embedded devices, and remove this restriction.