[Dnsmasq-discuss] Disable DNS-rebind protection for servers with multiple IPs

Leonid Isaev lisaev at umail.iu.edu
Sat Aug 23 17:07:45 BST 2014 

Hi,

	Is there any way to tell dnsmasq to not reject a server when an
upstream DNS returns multiple IP addresses with some of them being in a private
range?

For example, "store.free-college.org" resolves to a set of IPs:
------
$ drill store.free-college.org @75.75.75.75
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 33320
;; flags: qr rd ra ; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; store.free-college.org.	IN	A

;; ANSWER SECTION:
store.free-college.org.	300	IN	A	89.223.98.37
store.free-college.org.	300	IN	A	77.247.168.126
store.free-college.org.	300	IN	A	188.242.41.153
store.free-college.org.	300	IN	A	178.162.58.205
store.free-college.org.	300	IN	A	89.223.98.80
store.free-college.org.	300	IN	A	172.31.85.247
store.free-college.org.	300	IN	A	5.19.252.122
store.free-college.org.	300	IN	A	93.92.202.158

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 275 msec
;; SERVER: 75.75.75.75
;; WHEN: Sat Aug 23 11:53:57 2014
;; MSG SIZE  rcvd: 168
------

But one of these is private (172.31.85.247). This is of course a problem with a
nameserver somewhere, but other addresses AFAIU are OK.

Meanwhile, dnsmasq-2.71 (archlinux) running at 10.0.0.1 with --stop-dns-rebind
and using the same 75.75.75.75 nameserver as upstream rejects all of the above
addresses with a message that a "possible DNS-rebind attack was detected"
(hence breaking clients on the LAN). The configuration is basic:
------
$ cat /etc/dnsmasq.conf
domain-needed
bogus-priv
strict-order
local=/skynet/
interface=br0
bind-interfaces
domain=skynet
dhcp-range=10.0.0.2,10.0.0.200,255.255.255.0,24h
dhcp-option=252,"\n"
dhcp-authoritative

$ cat /etc/resolv.conf
nameserver 75.75.75.75
nameserver 75.75.76.76
------

So, ideally I'd like to be able to instruct dnsmasq to reject the DNS request
if an upstrean nameserver returns only 1 IP in a private range, otherwise
filter out the private addresses and return only public ones...

[Sorry if a similar problem has already been discussedon this list]

Thanks,
-- 
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6  20DF 9291 EE8A 043C B8C4
                  C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140823/6d6be8cc/attachment.sig>

More information about the Dnsmasq-discuss mailing list