[Dnsmasq-discuss] New Proposal: stop-dns-rebind is blocking 0.0.0.0 from upstream

imnozi at gmail.com imnozi at gmail.com
Wed Jul 23 13:00:07 UTC 2025


On Wed, 23 Jul 2025 09:41:24 +0000
moistice at riseup.net wrote:

> > Problem  
> When you use adblock dns as upstream with a combination with dnsmasq
> like below, and when the upstream return 0.0.0.0 as an answer, dnsmasq
> block it automatically if the user have "stop-dns-rebind" in the config.
> 
> User -> DNSmasq -> DNSCrypt(Filters Bad IP & CNAMEs) -> NSANet
> User: what is www.google.com
> DNSmasq: Yeah, what is www.google.com
> DNSCrypt: Google IPs are blocked, so returning 0.0.0.0
> (blocked_query_response = 'a:0.0.0.0')
> DNSmasq: Upstream returned 0.0.0.0, nulling it out
> User: Whaaat??
> 
> This is undesired - I want to block 192.168.x.x/169.254.x.x/255.x ranges
> from the internet but not 0.0.0.0. "0.0.0.0" is widely used by
> HOSTS/AdblockDNS to block the FQDN.

Do you need to specify an address to block an FQDN? Whether or not it is correct usage, I've been using, e.g.,

local=/0-1-x.009418154.xyz/

for some years to block undesired domains from being resolved. Well, technically dnsmasq returns no address in the answer which serves my purpose just as well: to block access to almost 1.3M undesirable FQDNs. Dnsmasq handles this task with aplomb; but it does balloon to over 100MiB virtual and resident memory.

Neal


> 
> > Proposal  
> Just like "rebind-localhost-ok" switch, I propose a new switch A or B;
> 
> (A) rebind-zeroed-ok
> This simply tells dnsmasq "Exempt 0.0.0.0 from rebinding checks"
> 
> (B) dns-rebind-except=CIDR[,CIDR] (or maybe:
> dns-rebind-allowed=CIDR[,CIDR])
> This simply tells...
> e.g.,
> stop-dns-rebind
> dns-rebind-except = 127.0.0.1/32,192.168.7.0/24
> -> will block any LAN, local and 0 EXCEPT those IPs.  
> stop-dns-rebind
> dns-rebind-except = 127.0.0.1/32,0.0.0.0/32
> -> This I would like to have.  
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss




More information about the Dnsmasq-discuss mailing list