[Dnsmasq-discuss] stop-dns-rebind and IPv6
Simon Kelley
simon at thekelleys.org.uk
Tue Mar 17 20:54:32 GMT 2020
On 11/03/2020 07:55, Dominik wrote:
> Hey Buck,
>
> dnsmasq blocks all IPv4 address replies in the "private" subnets when enabling stop-dns-rebind. For IPv6, it blocks only the IPv4-mapped address ranges matching said private subnets.
>
> Neither ULAs nor LLs (link-locals) are blocked in the IPv6 range. I agree this should be added.
>
> I can provide a patch for this, maybe tomorrow, if this is wanted. However, I'm afraid it might already be too late for 2.81, cfm. Simon.
Apologies for that late reply. A patch sometime this week should be fine
for 2.81.
Simon.
>
> Best,
> Dominik
>
> Am 11. März 2020 00:47:02 MEZ schrieb buckhorn at weibsvolk.org:
>> I am using dnsmasq version pi-hole-2.80 as embedded in Pi-hole, with my
>>
>> router set as its sole upstream server (server=192.168.178.1#53).
>>
>> When evaluating DNS rebind protection provided by dnsmasq (by adding
>> stop-dns-rebind), I observed that dnsmasq correctly detects and
>> suppresses IPv4 answers, but fails to do the same for IPv6 ULA
>> addresses
>> (maybe even for IPv6 in general).
>>
>> E.g. "nslookup wpad.fritz.box" from a Windows client results in the
>> following log entries:
>>
>> 09:58:08 dnsmasq[20063]: query[A] wpad.fritz.box from 192.168.178.200
>> 09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
>> 09:58:08 dnsmasq[20063]: possible DNS-rebind attack detected:
>> wpad.fritz.box
>> 09:58:08 dnsmasq[20063]: query[AAAA] wpad.fritz.box from
>> 192.168.178.200
>> 09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
>> 09:58:08 dnsmasq[20063]: reply wpad.fritz.box is
>> fd00::2ba:dcff:feca:fe00
>>
>> Shouldn't IPv6 ULA and link-local addresses also be suppressed?
>> Does dnsmasq exhibit this behaviour by intention, or could this be seen
>>
>> as a possible gap in rebind protection?
>>
>> Kind regards,
>>
>> Buck
>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list