[Dnsmasq-discuss] DNS rebinding prevention misses IPv4-mapped IPv6 addrs containing RFC1918 addrs
simon at thekelleys.org.uk
Fri May 8 20:30:27 BST 2015
Thanks for the heads-up. I just checked in code to the git repo to fix this.
On 30/04/15 02:59, Jordan Milne wrote:
> dnsmasq correctly filters A records containing RFC1918 addresses like
> 192.168.2.1, however, it doesn't check AAAA records containing IPv4-mapped
> IPv6 addresses.
> For example, enable DNS rebinding prevention, and do:
> $ host router.saynotolinux.com
> nothing will be returned, but
> $ host routerv4mapped.saynotolinux.com
> routerv4mapped.saynotolinux.com has IPv6 address ::ffff:192.168.2.1
> Some IP stacks (Linux's, at least) will take that AAAA record and connect
> to 192.168.2.1 directly via IPv4.
> Here's how google-dnswall deals with them:
> We should also filter IPv4-compatible addresses (also in the dnswall
> example,) but I haven't been able to find anything that actually supports
> them anymore.
> - Jordan
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
More information about the Dnsmasq-discuss