[Dnsmasq-discuss] DNS rebinding prevention misses IPv4-mapped IPv6 addrs containing RFC1918 addrs
Jordan Milne
dnsmasq at saynotolinux.com
Thu Apr 30 02:59:34 BST 2015
dnsmasq correctly filters A records containing RFC1918 addresses like
192.168.2.1, however, it doesn't check AAAA records containing IPv4-mapped
IPv6 addresses.
For example, enable DNS rebinding prevention, and do:
$ host router.saynotolinux.com
>
nothing will be returned, but
$ host routerv4mapped.saynotolinux.com
>
returns
routerv4mapped.saynotolinux.com has IPv6 address ::ffff:192.168.2.1
>
Some IP stacks (Linux's, at least) will take that AAAA record and connect
to 192.168.2.1 directly via IPv4.
Here's how google-dnswall deals with them:
https://code.google.com/p/google-dnswall/source/browse/trunk/src/check_record.c#83
We should also filter IPv4-compatible addresses (also in the dnswall
example,) but I haven't been able to find anything that actually supports
them anymore.
Cheers,
- Jordan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150429/c2612bbf/attachment.html>
More information about the Dnsmasq-discuss
mailing list