[Dnsmasq-discuss] stop-dns-rebind and IPv6
Simon Kelley
simon at thekelleys.org.uk
Wed Sep 8 22:24:24 BST 2010
dnsmasq at flyingout.name wrote:
> Hey all,
>
> I've searched the list, man, conf, etc. and didn't find anything on
> this.
>
> I've been testing the rebinding protection and thought it was working
> until I hit it with a little dns testing tool over at grc.com. Some
> browsers issue A and AAAA queries and it appears dnsmasq is only
> blocking the A records. So, for example, if I point to my router via one
> of the grc generated urls in Firefox (OS X and Ubuntu), it gets there
> despite dnsmasq blocking the A record.
>
> Is there a way to block the AAAA records as well?
No but there probably should be.
>
> dig net10.grctech.com A
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> net10.grctech.com A
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57692
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;net10.grctech.com. IN A
>
> ;; Query time: 22 msec
>
>
> good, but:
>
> dig net10.grctech.com AAAA
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> net10.grctech.com AAAA
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19161
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;net10.grctech.com. IN AAAA
>
> ;; ANSWER SECTION:
> net10.grctech.com. 599819 IN AAAA ::ffff:10.0.0.1
>
> ;; Query time: 18 msec
>
What IPv6 ranges need to be blocked? the IPv4-mapped ones obviously, but
::1 also? What about the fe80:: link-local addresses.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list