[Dnsmasq-discuss] IoT devices are now using unpatched vulnerability in the address configuration of dnsmasq
switching at riseup.net
switching at riseup.net
Fri Jun 6 04:17:45 UTC 2025
Hi there,
I have tried to post about this to dnsmasq-discuss but I never received
any email from it so I am writing this to your email. Long story short,
I have observed some IoT devices such as Amazon Fire TV stick are now
abusing below technique to get the DNS server's IP address. This is
unintended behavior for users who uses your DNS server for filterling,
such as "Pi-hole" users.
Please patch this.
> Problem
The query "https" bypass the filter even when the configuration prohibit
it. IoT devices are querying record of "https" starting recently, to get
the NS information of the upstream. It should be blocked, if there is
"domain-needed" or "address=/https/#" or "address=/https/0.0.0.0" in the
configuration file.
> Steps
1. Install currently Debian latest: apt install dnsmasq
2. In dnsmasq.conf, add below and restart the dnsmasq.
domain-needed
3. Run "dig http", it should return nothing, because of domain-needed.
4. Run "dig https".
> Expected Result
The result of "dig https" should return nothing, just like "dig
anythinghere".
> Actual Result
Returns the list of ICANN NS servers.
> Additional Note
I also added "address=/https/#" and tried again, same result.
More information about the Dnsmasq-discuss
mailing list