[Dnsmasq-discuss] Is there some way I can tell dnsmasq to give a negative reply to any IPv6 query?

Trey Sis treysis at gmx.net
Fri Sep 24 02:58:22 UTC 2021


Hey Rick,

On 9/24/2021 4:05, Rick Thomas wrote:
> You are right.  It is a mis-config.  If you have the time and interest, I'd appreciate any help you (or the list) can give on correcting the mis-config...
>
> Here's the story:
>
> As noted, my ISP does not provide IPv6 and has no plans to provide it in the future.  I've emailed their technical help line and asked when they might provide IPv6, and got absolute total stony silence in reply.  But I wanted to try experimenting with making my home LAN dual-stack, and fortunately, Hurricane Electric (HE) provides a free (no cost) easy-to-set-up tunnel service for folks like me.  So I signed up with HE and got a /48 IPv6 subnet for my local home LAN.  I bought an inexpensive netgate box (nowadays, I'd use a Raspberry Pi4B) and set it up running Debian as a gateway to HE for my LAN.  It worked great!  I was able to access IPv6-only sites and able to login directly from outside the home LAN (without any firewall pinholes) to the auto-configured IPv6 address of the machines on my LAN.
>
> And thereby lies the catch.  With this setup, any hacker with an IPv6 connection can connect to and try to hack any of the machines on my LAN.  I'd like to prevent that with the equivalent of an IPv4 NAT whereby incoming IPv6 packets are filtered so that anything that is not part of an established connection initiated from inside the LAN will be dropped.  I'm sure it's possible but I'm finding the "iptables" documentation pretty opaque.  Anybody who can point me to a worked example from someone who has done this successfully will be a friend for life.
>
> So I disabled forwarding for IPv6 on the netgate machine -- or at least I thought I did.  It appears that somehow the IPv6 subnet address was still leaking out and all the machines on my LAN were convinced that the netgate machine was still acting as a gateway.  On that assumption, I unplugged the netgate, so that such leakage would be physically impossible, and -- lo and behold -- the problems went away!
>
> Now, what I'd like to do -- but need help doing -- is to set up an iptables firewall to prevent outside access via IPv6, so I can continue experimenting and contributing to world-wide acceptance of IPv6.
>
> Thanks!
> Rick

I am using an HE tunnel in one of my networks as well. But I am using
OpenWrt on the router, which does the firewall setting (ip6tables) for
me. Maybe it's an option to switch to OpenWrt instead of Debian?
Otherwise, this link gives some examples, which might be of help to
setup stateful firewalling:

https://www.sixxs.net/wiki/IPv6_Firewalling


>
> PS:  My original question still stands, though as more of a request for new feature:  It would be nice have some way to tell dnsmasq to give a negative reply to any IPv6 query for IPv4-only nets.  And vice versa -- give a negative reply to any IPv4 query for IPv6-only nets.  Is such a thing possible?

I was actually working on a patch that would do this (although no
autodetection). However, my patch had some serious flaws and I have no
idea how to implement it now (I was told I have to use rrfilter, but I
am too unskilled in C to understand how it's all connected under the hood).

Cheers,

Treysis


>
>
>
>
> On Thu, Sep 23, 2021, at 1:56 AM, Trey Sis wrote:
>> There's something wrong with your setup. Did you manually configure an
>> IPv6 address for your machine? wget shouldn't try the IPv6 address if
>> there is no route to the destination.
>>
>> Cheers,
>>
>> Treysis
>>
>> On 9/23/2021 10:02, Rick Thomas wrote:
>>> My ISP does not support IPv6 at all.  Recently I have been having trouble connecting (web and/or ssh) to hosts outside of my local home LAN that have both IPv4 and IPv6 addresses.
>>>
>>> For example:
>>>
>>>       rbthomas at monk:~$ host www.google.com
>>>       www.google.com has address 142.251.33.68
>>>       www.google.com has IPv6 address 2607:f8b0:400a:806::2004
>>>       rbthomas at monk:~$ wget www.google.com
>>>       --2021-09-22 18:23:06--  http://www.google.com/
>>>       Resolving www.google.com (www.google.com)... 2607:f8b0:400a:806::2004, 142.251.33.68
>>>       Connecting to www.google.com (www.google.com)|2607:f8b0:400a:806::2004|:80... ^C
>>>
>>>
>>> Is there some way I can tell dnsmasq to give a negative reply to any IPv6 query?
>>>
>>> I'm using the debian dnsmasq package version 2.85-1
>>>
>>> Thanks!
>>> Rick
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss



More information about the Dnsmasq-discuss mailing list