[Dnsmasq-discuss] blocklists, blocking servers, rebind attacks & general aaarrggh

Simon Kelley simon at thekelleys.org.uk
Sun Jul 4 20:32:48 UTC 2021


On 30/06/2021 10:40, Kevin Darbyshire-Bryant wrote:
> As an ‘experiment’ I tried switching from my own local ‘adblocking’ solution to using an upstream adblocking resolver, eg. cloudflare’s 1.1.1.2 or 1.1.1.3 service.
> 
> The local adblock solution uses (multiple!) ‘—address/naughtydomain.foo/‘ lines that cause dnsmasq to return ’NXDOMAIN’ - fair enough.
> 
> Cloudflare (& others I’ve tested) return ‘0.0.0.0’ or ‘::’ instead, not NXDOMAIN.  With rebind protection enabled (--stop-dns-rebind), even with --rebind-localhost-ok I get log ’spam’ warning of possible rebind attacks due to the ‘0.0.0.0’ address response.
> 
> I can turn ‘0.0.0.0’ into NXDOMAIN by using --bogus-nxdomain=0.0.0.0 and that works fine and stops the rebind warnings.  However ‘::’ still gets through if an AAAA is specifically requested.  There is no equivalent bogus-nxdomain for ipv6.
> 
> The dnsmasq manpage (under —address) advised "Note that NULL addresses [0.0.0.0 & ::] normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.”  Ideally then 0.0.0.0 & :: would both be turned into NXDOMAIN.
> 
> Should ‘0.0.0.0/32’ be excluded from the rebind checks/accepted by the ‘—rebind-localhost-ok’ option.  It’s currently being caught by a ‘0.0.0.0/8’ check.
> 

I looked at the code that determines private addresses for --bogus-priv
and rebind: It's a bit unruly for IPv6, so I've rationalised things and
included :: and 0.0.0.0 in the --rebind-localhost-ok coverage, which at
least avoids the log spam.


I wonder if bogus-nxdomain should be extended to IPv6, or we could add
another option which is the equivalent of

bogus-nxdomain=0.0.0.0,::

Or both.

Simon.




More information about the Dnsmasq-discuss mailing list