[Dnsmasq-discuss] DNS rebinding prevention misses IPv4-mapped IPv6 addrs containing RFC1918 addrs

Simon Kelley simon at thekelleys.org.uk
Fri May 8 20:30:27 BST 2015


Thanks for the heads-up. I just checked in code to the git repo to fix this.

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=b059c96dc69dfe3055c5b32b078a05c53b11ebb3

Cheers,

Simon.



On 30/04/15 02:59, Jordan Milne wrote:
> dnsmasq correctly filters A records containing RFC1918 addresses like
> 192.168.2.1, however, it doesn't check AAAA records containing IPv4-mapped
> IPv6 addresses.
> 
> For example, enable DNS rebinding prevention, and do:
> 
> $ host router.saynotolinux.com
>>
> 
> nothing will be returned, but
> 
> $ host routerv4mapped.saynotolinux.com
>>
> 
> returns
> 
> routerv4mapped.saynotolinux.com has IPv6 address ::ffff:192.168.2.1
>>
> 
> Some IP stacks (Linux's, at least) will take that AAAA record and connect
> to 192.168.2.1 directly via IPv4.
> 
> Here's how google-dnswall deals with them:
> https://code.google.com/p/google-dnswall/source/browse/trunk/src/check_record.c#83
> 
> We should also filter IPv4-compatible addresses (also in the dnswall
> example,) but I haven't been able to find anything that actually supports
> them anymore.
> 
> Cheers,
>  - Jordan
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list