[Dnsmasq-discuss] stop-dns-rebind and IPv6

Dominik dl6er at dl6er.de
Tue Mar 17 21:48:23 GMT 2020 

Patch attached.

On 17.03.20 21:54, Simon Kelley wrote:
>
> On 11/03/2020 07:55, Dominik wrote:
>> Hey Buck,
>>
>> dnsmasq blocks all IPv4 address replies in the "private" subnets when enabling stop-dns-rebind. For IPv6, it blocks only the IPv4-mapped address ranges matching said private subnets.
>>
>> Neither ULAs nor LLs (link-locals) are blocked in the IPv6 range. I agree this should be added.
>>
>> I can provide a patch for this, maybe tomorrow, if this is wanted. However, I'm afraid it might already be too late for 2.81, cfm. Simon.
> Apologies for that late reply. A patch sometime this week should be fine
> for 2.81.
>
> Simon.
>
>> Best,
>> Dominik
>>
>> Am 11. März 2020 00:47:02 MEZ schrieb buckhorn at weibsvolk.org:
>>> I am using dnsmasq version pi-hole-2.80 as embedded in Pi-hole, with my
>>>
>>> router set as its sole upstream server (server=192.168.178.1#53).
>>>
>>> When evaluating DNS rebind protection provided by dnsmasq (by adding 
>>> stop-dns-rebind), I observed that dnsmasq correctly detects and 
>>> suppresses IPv4 answers, but fails to do the same for IPv6 ULA
>>> addresses 
>>> (maybe even for IPv6 in general).
>>>
>>> E.g. "nslookup wpad.fritz.box" from a Windows client results in the 
>>> following log entries:
>>>
>>> 09:58:08 dnsmasq[20063]: query[A] wpad.fritz.box from 192.168.178.200
>>> 09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
>>> 09:58:08 dnsmasq[20063]: possible DNS-rebind attack detected: 
>>> wpad.fritz.box
>>> 09:58:08 dnsmasq[20063]: query[AAAA] wpad.fritz.box from
>>> 192.168.178.200
>>> 09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
>>> 09:58:08 dnsmasq[20063]: reply wpad.fritz.box is 
>>> fd00::2ba:dcff:feca:fe00
>>>
>>> Shouldn't IPv6 ULA and link-local addresses also be suppressed?
>>> Does dnsmasq exhibit this behaviour by intention, or could this be seen
>>>
>>> as a possible gap in rebind protection?
>>>
>>> Kind regards,
>>>
>>> Buck
>>>
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Extend-stop-dns-rebind-to-reject-IPv6-link-local-LL-.patch
Type: text/x-patch
Size: 2841 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200317/add0df02/attachment.bin>

More information about the Dnsmasq-discuss mailing list