[Dnsmasq-discuss] stop-dns-rebind and IPv6
buckhorn at weibsvolk.org
buckhorn at weibsvolk.org
Tue Mar 10 23:47:02 GMT 2020
I am using dnsmasq version pi-hole-2.80 as embedded in Pi-hole, with my
router set as its sole upstream server (server=192.168.178.1#53).
When evaluating DNS rebind protection provided by dnsmasq (by adding
stop-dns-rebind), I observed that dnsmasq correctly detects and
suppresses IPv4 answers, but fails to do the same for IPv6 ULA addresses
(maybe even for IPv6 in general).
E.g. "nslookup wpad.fritz.box" from a Windows client results in the
following log entries:
09:58:08 dnsmasq[20063]: query[A] wpad.fritz.box from 192.168.178.200
09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
09:58:08 dnsmasq[20063]: possible DNS-rebind attack detected:
wpad.fritz.box
09:58:08 dnsmasq[20063]: query[AAAA] wpad.fritz.box from 192.168.178.200
09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
09:58:08 dnsmasq[20063]: reply wpad.fritz.box is
fd00::2ba:dcff:feca:fe00
Shouldn't IPv6 ULA and link-local addresses also be suppressed?
Does dnsmasq exhibit this behaviour by intention, or could this be seen
as a possible gap in rebind protection?
Kind regards,
Buck
More information about the Dnsmasq-discuss
mailing list