[Dnsmasq-discuss] [PATCH] Check for SERV_NO_REBIND on unqualified domains
Sung Pae
self at sungpae.com
Mon Dec 30 23:07:37 GMT 2019
Hello,
My home network has a DNS search domain of home.arpa and my machine's dnsmasq
instance is configured with:
server=/home.arpa/192.168.0.1
server=//192.168.0.1
stop-dns-rebind
rebind-domain-ok=home.arpa
rebind-domain-ok=// # Match unqualified domains
Querying my router's FQDN works as expected:
dnsmasq: query[A] gateway.home.arpa from 127.0.0.1
dnsmasq: forwarded gateway.home.arpa to 192.168.0.1
dnsmasq: reply gateway.home.arpa is 192.168.0.1
But using an unqualified domain name does not:
dnsmasq: query[A] gateway from 127.0.0.1
dnsmasq: forwarded gateway to 192.168.0.1
dnsmasq: possible DNS-rebind attack detected: gateway
The attached patch addresses this issue by checking for SERV_NO_REBIND when
handling dotless domains.
-------------- next part --------------
>From 0460b07108b009cff06e29eac54910ec2e7fafce Mon Sep 17 00:00:00 2001
From: guns <self at sungpae.com>
Date: Mon, 30 Dec 2019 16:34:23 -0600
Subject: [PATCH] Check for SERV_NO_REBIND on unqualified domains
---
src/forward.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/forward.c b/src/forward.c
index e4745a3..0919033 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -125,7 +125,9 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
{
unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
*type = SERV_FOR_NODOTS;
- if (serv->flags & SERV_NO_ADDR)
+ if ((serv->flags & SERV_NO_REBIND) && norebind)
+ *norebind = 1;
+ else if (serv->flags & SERV_NO_ADDR)
flags = F_NXDOMAIN;
else if (serv->flags & SERV_LITERAL_ADDRESS)
{
--
2.24.1
More information about the Dnsmasq-discuss
mailing list