[Dnsmasq-discuss] [PATCH] Check for SERV_NO_REBIND on unqualified domains
Simon Kelley
simon at thekelleys.org.uk
Sun Jan 5 22:13:46 GMT 2020
On 30/12/2019 23:07, Sung Pae wrote:
> Hello,
>
> My home network has a DNS search domain of home.arpa and my machine's dnsmasq
> instance is configured with:
>
> server=/home.arpa/192.168.0.1
> server=//192.168.0.1
> stop-dns-rebind
> rebind-domain-ok=home.arpa
> rebind-domain-ok=// # Match unqualified domains
>
> Querying my router's FQDN works as expected:
>
> dnsmasq: query[A] gateway.home.arpa from 127.0.0.1
> dnsmasq: forwarded gateway.home.arpa to 192.168.0.1
> dnsmasq: reply gateway.home.arpa is 192.168.0.1
>
> But using an unqualified domain name does not:
>
> dnsmasq: query[A] gateway from 127.0.0.1
> dnsmasq: forwarded gateway to 192.168.0.1
> dnsmasq: possible DNS-rebind attack detected: gateway
>
> The attached patch addresses this issue by checking for SERV_NO_REBIND when
> handling dotless domains.
>
>
Patch applied, thanks.
Simon.
More information about the Dnsmasq-discuss
mailing list