[Dnsmasq-discuss] stop-dns-rebind and IPv6

dnsmasq at flyingout.name dnsmasq at flyingout.name
Thu Sep 9 01:38:42 BST 2010



On Wed, 08 Sep 2010 22:24 +0100, "Simon Kelley"
<simon at thekelleys.org.uk> wrote:
> dnsmasq at flyingout.name wrote:

> > Is there a way to block the AAAA records as well?
> 
> No but there probably should be.

Cool.

> 
> What IPv6 ranges need to be blocked? the IPv4-mapped ones obviously, but
> ::1 also? What about the fe80:: link-local addresses.
> 

Good question. (And I'll admit that I'm no expert here.) Definitely the
IPv4 mapped and ::1. From an ongoing discussion I've been having
elsewhere, here's a list for discussion:

::1
::0/96
0/8
RFC1918:
    10.0.0.0/8            ::ffff:10.0.0.0/120
    172.16.0.0/12         ::ffff:172.16.0.0/116
    192.168.0.0/8         ::ffff:192.168.0.0/120
And loopback:
    127.0.0.1/8           ::ffff:127.0.0.1/120


There was a suggestion for:

169.254.0.0/16
::ffff:169.254.0.0/112
FE80::/10  

although I'm not sure there's much of a threat there. On the other hand,
they don't have much reason to be coming from public resolvers, either.

Paul



More information about the Dnsmasq-discuss mailing list