[Dnsmasq-discuss] stop-dns-rebind and IPv6
Jan 'RedBully' Seiffert
kaffeemonster at googlemail.com
Thu Sep 9 00:24:00 BST 2010
2010/9/8 Simon Kelley <simon at thekelleys.org.uk>:
> dnsmasq at flyingout.name wrote:
[snip - IPv6 rebind filter failing]
> What IPv6 ranges need to be blocked? the IPv4-mapped ones obviously, but
> ::1 also?
Sure, it's the equivalent to 127.0.0.1
> What about the fe80:: link-local addresses.
I would say yes.
An attacker could see a/the mac address in a/the global IPv6 address,
and then try a rebind to the linklocal + mac.
sitelocal are deprecated (but better safe then sorry?), hmmm, what's
with unique local?
I have some code for my software here, but it's more a bogon filter:
bool combo_addr_is_public(const union combo_addr *addr)
// TODO: when IPv6 is common, change it
if(unlikely(AF_INET6 == addr->s.fam))
const struct in6_addr *a6 = &addr->in6.sin6_addr;
/* keep test for v4 last */
a = a6->s6_addr32;
a = addr->in.sin_addr.s_addr;
/* according to RFC 3330 & RFC 5735 */
if(IP_CMP(a, 0xFFFFFFFF, SLASH32)) /* 255.255.255.255/32 Broadcast */
.... rest of ipv4 part here ...
Murphy's Law of Combat
Rule #3: "Never forget that your weapon was manufactured by the
More information about the Dnsmasq-discuss