[Dnsmasq-discuss] stop-dns-rebind and IPv6

Simon Kelley simon at thekelleys.org.uk
Tue Mar 17 23:02:35 GMT 2020 

On 17/03/2020 21:48, Dominik wrote:
> Patch attached.


and applied. Thanks.

Simon.


> 
> On 17.03.20 21:54, Simon Kelley wrote:
>>
>> On 11/03/2020 07:55, Dominik wrote:
>>> Hey Buck,
>>>
>>> dnsmasq blocks all IPv4 address replies in the "private" subnets when enabling stop-dns-rebind. For IPv6, it blocks only the IPv4-mapped address ranges matching said private subnets.
>>>
>>> Neither ULAs nor LLs (link-locals) are blocked in the IPv6 range. I agree this should be added.
>>>
>>> I can provide a patch for this, maybe tomorrow, if this is wanted. However, I'm afraid it might already be too late for 2.81, cfm. Simon.
>> Apologies for that late reply. A patch sometime this week should be fine
>> for 2.81.
>>
>> Simon.
>>
>>> Best,
>>> Dominik
>>>
>>> Am 11. März 2020 00:47:02 MEZ schrieb buckhorn at weibsvolk.org:
>>>> I am using dnsmasq version pi-hole-2.80 as embedded in Pi-hole, with my
>>>>
>>>> router set as its sole upstream server (server=192.168.178.1#53).
>>>>
>>>> When evaluating DNS rebind protection provided by dnsmasq (by adding 
>>>> stop-dns-rebind), I observed that dnsmasq correctly detects and 
>>>> suppresses IPv4 answers, but fails to do the same for IPv6 ULA
>>>> addresses 
>>>> (maybe even for IPv6 in general).
>>>>
>>>> E.g. "nslookup wpad.fritz.box" from a Windows client results in the 
>>>> following log entries:
>>>>
>>>> 09:58:08 dnsmasq[20063]: query[A] wpad.fritz.box from 192.168.178.200
>>>> 09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
>>>> 09:58:08 dnsmasq[20063]: possible DNS-rebind attack detected: 
>>>> wpad.fritz.box
>>>> 09:58:08 dnsmasq[20063]: query[AAAA] wpad.fritz.box from
>>>> 192.168.178.200
>>>> 09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
>>>> 09:58:08 dnsmasq[20063]: reply wpad.fritz.box is 
>>>> fd00::2ba:dcff:feca:fe00
>>>>
>>>> Shouldn't IPv6 ULA and link-local addresses also be suppressed?
>>>> Does dnsmasq exhibit this behaviour by intention, or could this be seen
>>>>
>>>> as a possible gap in rebind protection?
>>>>
>>>> Kind regards,
>>>>
>>>> Buck
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>

More information about the Dnsmasq-discuss mailing list