[Dnsmasq-discuss] DNS rebinding prevention misses IPv4-mapped IPv6 addrs containing RFC1918 addrs
Simon Kelley
simon at thekelleys.org.uk
Fri May 8 20:30:27 BST 2015
Thanks for the heads-up. I just checked in code to the git repo to fix this.
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=b059c96dc69dfe3055c5b32b078a05c53b11ebb3
Cheers,
Simon.
On 30/04/15 02:59, Jordan Milne wrote:
> dnsmasq correctly filters A records containing RFC1918 addresses like
> 192.168.2.1, however, it doesn't check AAAA records containing IPv4-mapped
> IPv6 addresses.
>
> For example, enable DNS rebinding prevention, and do:
>
> $ host router.saynotolinux.com
>>
>
> nothing will be returned, but
>
> $ host routerv4mapped.saynotolinux.com
>>
>
> returns
>
> routerv4mapped.saynotolinux.com has IPv6 address ::ffff:192.168.2.1
>>
>
> Some IP stacks (Linux's, at least) will take that AAAA record and connect
> to 192.168.2.1 directly via IPv4.
>
> Here's how google-dnswall deals with them:
> https://code.google.com/p/google-dnswall/source/browse/trunk/src/check_record.c#83
>
> We should also filter IPv4-compatible addresses (also in the dnswall
> example,) but I haven't been able to find anything that actually supports
> them anymore.
>
> Cheers,
> - Jordan
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list