[Dnsmasq-discuss] blocklists, blocking servers, rebind attacks & general aaarrggh

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Wed Jun 30 09:40:41 UTC 2021

As an ‘experiment’ I tried switching from my own local ‘adblocking’ solution to using an upstream adblocking resolver, eg. cloudflare’s or service.

The local adblock solution uses (multiple!) ‘—address/naughtydomain.foo/‘ lines that cause dnsmasq to return ’NXDOMAIN’ - fair enough.

Cloudflare (& others I’ve tested) return ‘’ or ‘::’ instead, not NXDOMAIN.  With rebind protection enabled (--stop-dns-rebind), even with --rebind-localhost-ok I get log ’spam’ warning of possible rebind attacks due to the ‘’ address response.

I can turn ‘’ into NXDOMAIN by using --bogus-nxdomain= and that works fine and stops the rebind warnings.  However ‘::’ still gets through if an AAAA is specifically requested.  There is no equivalent bogus-nxdomain for ipv6.

The dnsmasq manpage (under —address) advised "Note that NULL addresses [ & ::] normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.”  Ideally then & :: would both be turned into NXDOMAIN.

Should ‘’ be excluded from the rebind checks/accepted by the ‘—rebind-localhost-ok’ option.  It’s currently being caught by a ‘’ check.


Kevin D-B

gpg: 012C ACB2 28C6 C53E 9775  9123 B3A2 389B 9DE2 334A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210630/63ed842d/attachment.sig>

More information about the Dnsmasq-discuss mailing list