[Dnsmasq-discuss] New Proposal: stop-dns-rebind is blocking 0.0.0.0 from upstream
moistice at riseup.net
moistice at riseup.net
Wed Jul 23 09:41:24 UTC 2025
> Problem
When you use adblock dns as upstream with a combination with dnsmasq
like below, and when the upstream return 0.0.0.0 as an answer, dnsmasq
block it automatically if the user have "stop-dns-rebind" in the config.
User -> DNSmasq -> DNSCrypt(Filters Bad IP & CNAMEs) -> NSANet
User: what is www.google.com
DNSmasq: Yeah, what is www.google.com
DNSCrypt: Google IPs are blocked, so returning 0.0.0.0
(blocked_query_response = 'a:0.0.0.0')
DNSmasq: Upstream returned 0.0.0.0, nulling it out
User: Whaaat??
This is undesired - I want to block 192.168.x.x/169.254.x.x/255.x ranges
from the internet but not 0.0.0.0. "0.0.0.0" is widely used by
HOSTS/AdblockDNS to block the FQDN.
> Proposal
Just like "rebind-localhost-ok" switch, I propose a new switch A or B;
(A) rebind-zeroed-ok
This simply tells dnsmasq "Exempt 0.0.0.0 from rebinding checks"
(B) dns-rebind-except=CIDR[,CIDR] (or maybe:
dns-rebind-allowed=CIDR[,CIDR])
This simply tells...
e.g.,
stop-dns-rebind
dns-rebind-except = 127.0.0.1/32,192.168.7.0/24
-> will block any LAN, local and 0 EXCEPT those IPs.
stop-dns-rebind
dns-rebind-except = 127.0.0.1/32,0.0.0.0/32
-> This I would like to have.
More information about the Dnsmasq-discuss
mailing list