This is a Profile Option that you can enable on any of your Profiles. With this enabled, any Device that enforces this Profile will not resolve any RFC1918 and loopback (localhost) addresses found in public DNS. You can still make your own custom rules that spoof domains to to these IP ranges.
No DNS rebind protection.
test@test-vm:~$ dig +short rfc1918.test.controld.org 192.168.0.1
Now enable DNS rebind protection.
test@test-vm:~$ dig +short rfc1918.test.controld.org 0.0.0.0
Updated 10 months ago