[Dnsmasq-discuss] Config Parcing Bug
Tasnad Kernetzky
tasnadk at gmail.com
Sat Jan 12 10:16:59 GMT 2019
On 12.01.19 04:49, wkitty42 at gmail.com wrote:
> On 1/11/19 7:22 PM, Tasnad Kernetzky wrote:
>> Hi all,
>>
>> I wanted to report a bug (at least we belieave it is one). We had a
>> short discussion over at the archlinux bugtracker
>> (https://bugs.archlinux.org/task/60366).
>>
>> In short:
>>
>>> echo 'address=/ab--c.example.com/#' | dnsmasq --test -C -
>>
>>> dnsmasq: error at line 1 of stdin
>>
>> Althoug the URL is "forbidden":
>>
>>> host 'ab--c.example.com'
>>> host: 'ab--c.example.com' is not a legal IDNA2008 name (string
>> contains forbidden two hyphens pattern), use +noidnin
>
>
> is that a punycode domain name? all the one's i've seen are written as
>
> xn--codehere.invalid
>
> firefox has a specific option we set so we don't get taken in by
> look-alike homographs... specifically the links with unicode
> characters in them are displayed in their punycode form,
> xn--blahblah... these links explain more if some folks don't know
> about this aspect of the DNS system...
>
> https://en.wikipedia.org/wiki/Internationalized_domain_name#ASCII_spoofing_concerns
>
> https://en.wikipedia.org/wiki/IDN_homograph_attack
> https://en.wikipedia.org/wiki/Punycode#Internationalized_domain_names
>
>
I thought about that and I don't think so. AFAIK punycodes start with
xn, right? Indeed, dnsmasq accepts 'echo 'address=/xn--74hc.com/#' |
dnsmasq --test -C -'.
The actual troublesome domains from the block list are
"hm--test2.vergic.com", "-x3.vindicosuite.com" and (as regex)
'r\d---[\w\.\d-]+.(googlesyndication\.com|2mdn.net)'.
I guess the question is now, how dnsmasq should deal with invalid
domains in the config (or has there already been a discussion about that?).
I see three options:
1) Keep current behaviour, but do not forward queries to upstream
servers for invalid domains (actually dnsmasq does that). This way, we
don't need to worry about them.
2) Accept invalid domains in the config, so that we can block them
3) Provide a config switch to select whether dnsmasq fails to start If
there is an invalid domain in a config, or just issues a warning to the
log.
I would prefere 2), since that's the cleanest way. I don't see a reason
why invalid domains should not be blockable. They somehow ended up in
the block list anyways...
More information about the Dnsmasq-discuss
mailing list