[Dnsmasq-discuss] stop-dns-rebind and IPv6

buckhorn at weibsvolk.org buckhorn at weibsvolk.org
Tue Mar 10 23:47:02 GMT 2020


I am using dnsmasq version pi-hole-2.80 as embedded in Pi-hole, with my 
router set as its sole upstream server (server=192.168.178.1#53).

When evaluating DNS rebind protection provided by dnsmasq (by adding 
stop-dns-rebind), I observed that dnsmasq correctly detects and 
suppresses IPv4 answers, but fails to do the same for IPv6 ULA addresses 
(maybe even for IPv6 in general).

E.g. "nslookup wpad.fritz.box" from a Windows client results in the 
following log entries:

09:58:08 dnsmasq[20063]: query[A] wpad.fritz.box from 192.168.178.200
09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
09:58:08 dnsmasq[20063]: possible DNS-rebind attack detected: 
wpad.fritz.box
09:58:08 dnsmasq[20063]: query[AAAA] wpad.fritz.box from 192.168.178.200
09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
09:58:08 dnsmasq[20063]: reply wpad.fritz.box is 
fd00::2ba:dcff:feca:fe00

Shouldn't IPv6 ULA and link-local addresses also be suppressed?
Does dnsmasq exhibit this behaviour by intention, or could this be seen 
as a possible gap in rebind protection?

Kind regards,

Buck





More information about the Dnsmasq-discuss mailing list