[Dnsmasq-discuss] blocklists, blocking servers, rebind attacks & general aaarrggh

Rockwell, Dennis derockwe at akamai.com
Tue Jul 6 12:15:11 UTC 2021


Thank you!  This justifies my team following the bleeding edge instead of the CentOS package!

Dennis

-----Original Message-----
From: Simon Kelley <simon at thekelleys.org.uk>
Date: Monday, July 5, 2021 at 4:21 PM
To: "Rockwell, Dennis" <derockwe at akamai.com>
Cc: "dnsmasq-discuss at lists.thekelleys.org.uk" <dnsmasq-discuss at lists.thekelleys.org.uk>
Subject: Re: [Dnsmasq-discuss] blocklists, blocking servers, rebind attacks & general aaarrggh

    On 05/07/2021 12:34, Rockwell, Dennis wrote:
    > I have a situation for which extending those features would be the exact
    > solution.
    > 


    The code is there at the bleeding edge now.

    https://urldefense.com/v3/__https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=5bcca1219af8bad328352d7a656bc9b1e9d61b92__;!!GjvTz_vk!FX14f3sLW88fw88PXbLjvNJ_N6qxKfF6CQUg8xlWke5Ej5JrXdLJzGGV5ELsIn8$ 


    Simon.

    > Dennis
    > 
    > On Jul 4, 2021 5:21 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
    > On 04/07/2021 21:32, Simon Kelley wrote:
    >> On 30/06/2021 10:40, Kevin Darbyshire-Bryant wrote:
    >>> As an ‘experiment’ I tried switching from my own local ‘adblocking’ solution to using an upstream adblocking resolver, eg. cloudflare’s 1.1.1.2 or 1.1.1.3 service.
    >>>
    >>> The local adblock solution uses (multiple!) ‘—address/naughtydomain.foo/‘ lines that cause dnsmasq to return ’NXDOMAIN’ - fair enough.
    >>>
    >>> Cloudflare (& others I’ve tested) return ‘0.0.0.0’ or ‘::’ instead, not NXDOMAIN.  With rebind protection enabled (--stop-dns-rebind), even with --rebind-localhost-ok I get log ’spam’ warning of possible rebind attacks due to the ‘0.0.0.0’ address response.
    >>>
    >>> I can turn ‘0.0.0.0’ into NXDOMAIN by using --bogus-nxdomain=0.0.0.0 and that works fine and stops the rebind warnings.  However ‘::’ still gets through if an AAAA is specifically requested.  There is no equivalent bogus-nxdomain for ipv6.
    >>>
    >>> The dnsmasq manpage (under —address) advised "Note that NULL addresses [0.0.0.0 & ::] normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.”  Ideally then 0.0.0.0 & :: would both be turned into NXDOMAIN.
    >>>
    >>> Should ‘0.0.0.0/32’ be excluded from the rebind checks/accepted by the ‘—rebind-localhost-ok’ option.  It’s currently being caught by a ‘0.0.0.0/8’ check.
    >>>
    >> 
    >> I looked at the code that determines private addresses for --bogus-priv
    >> and rebind: It's a bit unruly for IPv6, so I've rationalised things and
    >> included :: and 0.0.0.0 in the --rebind-localhost-ok coverage, which at
    >> least avoids the log spam.
    >> 
    >> 
    >> I wonder if bogus-nxdomain should be extended to IPv6, or we could add
    >> another option which is the equivalent of
    >> 
    >> bogus-nxdomain=0.0.0.0,::
    >> 
    >> Or both.
    >> 
    >> Simon.
    >> 
    > 
    > AT the least, bogus-nxdomain should be extended to IPv6, that would
    > extend --ignore-address too, for free.
    > 
    > 
    > In progress.
    > 
    > Simon.
    > 
    > _______________________________________________
    > Dnsmasq-discuss mailing list
    > Dnsmasq-discuss at lists.thekelleys.org.uk
    > https://urldefense.com/v3/__https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss__;!!GjvTz_vk!G5VhBaG2LcDjkUOkXosk2wo1PHeuWlbg5rEhJreyBTz0RI4-Cn81DdAnrqJqq6o$
    > <https://urldefense.com/v3/__https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss__;!!GjvTz_vk!G5VhBaG2LcDjkUOkXosk2wo1PHeuWlbg5rEhJreyBTz0RI4-Cn81DdAnrqJqq6o$>
    > 




More information about the Dnsmasq-discuss mailing list