[Dnsmasq-discuss] blocklists, blocking servers, rebind attacks & general aaarrggh

Rockwell, Dennis derockwe at akamai.com
Mon Jul 5 11:34:11 UTC 2021

I have a situation for which extending those features would be the exact solution.


On Jul 4, 2021 5:21 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
On 04/07/2021 21:32, Simon Kelley wrote:
> On 30/06/2021 10:40, Kevin Darbyshire-Bryant wrote:
>> As an ‘experiment’ I tried switching from my own local ‘adblocking’ solution to using an upstream adblocking resolver, eg. cloudflare’s or service.
>> The local adblock solution uses (multiple!) ‘—address/naughtydomain.foo/‘ lines that cause dnsmasq to return ’NXDOMAIN’ - fair enough.
>> Cloudflare (& others I’ve tested) return ‘’ or ‘::’ instead, not NXDOMAIN.  With rebind protection enabled (--stop-dns-rebind), even with --rebind-localhost-ok I get log ’spam’ warning of possible rebind attacks due to the ‘’ address response.
>> I can turn ‘’ into NXDOMAIN by using --bogus-nxdomain= and that works fine and stops the rebind warnings.  However ‘::’ still gets through if an AAAA is specifically requested.  There is no equivalent bogus-nxdomain for ipv6.
>> The dnsmasq manpage (under —address) advised "Note that NULL addresses [ & ::] normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.”  Ideally then & :: would both be turned into NXDOMAIN.
>> Should ‘’ be excluded from the rebind checks/accepted by the ‘—rebind-localhost-ok’ option.  It’s currently being caught by a ‘’ check.
> I looked at the code that determines private addresses for --bogus-priv
> and rebind: It's a bit unruly for IPv6, so I've rationalised things and
> included :: and in the --rebind-localhost-ok coverage, which at
> least avoids the log spam.
> I wonder if bogus-nxdomain should be extended to IPv6, or we could add
> another option which is the equivalent of
> bogus-nxdomain=,::
> Or both.
> Simon.

AT the least, bogus-nxdomain should be extended to IPv6, that would
extend --ignore-address too, for free.

In progress.


Dnsmasq-discuss mailing list
Dnsmasq-discuss at lists.thekelleys.org.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210705/d08fe606/attachment.htm>

More information about the Dnsmasq-discuss mailing list