[Dnsmasq-discuss] stop-dns-rebind and IPv6

Dominik dl6er at dl6er.de
Wed Mar 11 07:55:42 GMT 2020

Hey Buck,

dnsmasq blocks all IPv4 address replies in the "private" subnets when enabling stop-dns-rebind. For IPv6, it blocks only the IPv4-mapped address ranges matching said private subnets.

Neither ULAs nor LLs (link-locals) are blocked in the IPv6 range. I agree this should be added.

I can provide a patch for this, maybe tomorrow, if this is wanted. However, I'm afraid it might already be too late for 2.81, cfm. Simon.


Am 11. März 2020 00:47:02 MEZ schrieb buckhorn at weibsvolk.org:
>I am using dnsmasq version pi-hole-2.80 as embedded in Pi-hole, with my
>router set as its sole upstream server (server=
>When evaluating DNS rebind protection provided by dnsmasq (by adding 
>stop-dns-rebind), I observed that dnsmasq correctly detects and 
>suppresses IPv4 answers, but fails to do the same for IPv6 ULA
>(maybe even for IPv6 in general).
>E.g. "nslookup wpad.fritz.box" from a Windows client results in the 
>following log entries:
>09:58:08 dnsmasq[20063]: query[A] wpad.fritz.box from
>09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to
>09:58:08 dnsmasq[20063]: possible DNS-rebind attack detected: 
>09:58:08 dnsmasq[20063]: query[AAAA] wpad.fritz.box from
>09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to
>09:58:08 dnsmasq[20063]: reply wpad.fritz.box is 
>Shouldn't IPv6 ULA and link-local addresses also be suppressed?
>Does dnsmasq exhibit this behaviour by intention, or could this be seen
>as a possible gap in rebind protection?
>Kind regards,
>Dnsmasq-discuss mailing list
>Dnsmasq-discuss at lists.thekelleys.org.uk

More information about the Dnsmasq-discuss mailing list