[Dnsmasq-discuss] Filtering non-latin1 or non-ASCIII dns requests?
Petr Menšík
pemensik at redhat.com
Thu May 11 15:48:56 UTC 2023
Is there any specific reason why would you want to block all IDN domains
in your dnsmasq? What attack would you like to prevent? Can you share
examples where this would help?
I think this is a primary job for domain registrators, which should
prevent registrations of mixed alphabets to prevents spoofing of
selected letters. If they don't, I think it is possible to block whole
TLD where this is allowed. There is no good solution for dnsmasq to do
such thing. I think it should not be done on client side and especially
not this way. I would recommend using RPZ driven blocklist in bigger
resolver, which would block only known bad sites.
On 5/11/23 04:12, B at us wrote:
>
> I realize this breaks many standards. But the reality for most small
> installations is we have no real business visiting sites with
> non-ASCII domain names. I’m thinking of protecting against the Greek
> “α” which looks a lot like the letter “a”.
>
> Is there an easy way to translate domains that don’t match
> \.[A-Za-z0-9]\. to 127.0.0.1?
>
> Thanks!
>
--
Petr Menšík
Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20230511/610a36da/attachment.htm>
More information about the Dnsmasq-discuss
mailing list