[Dnsmasq-discuss] New Proposal: stop-dns-rebind is blocking 0.0.0.0 from upstream

moistice at riseup.net moistice at riseup.net
Wed Jul 23 22:11:48 UTC 2025 

The NXDOMAIN is not a good idea to block something; malicious software
will attempt to resolve DNS over and over until it gets an IP address.
This is why many HOSTS file like this -
https://github.com/hagezi/dns-blocklists - are using 0.0.0.0. (Im using
its Ultimate list)

my config part:
addn-hosts=/..../my_hosts_rules.txt
addn-hosts=/..../hosts.hagezi.txt
addn-hosts=/..../hosts.badmojr.txt
addn-hosts=/..../hosts.stevenblack.txt

my upstream(dnscrypt):
- blocks known Advert IP ranges, returns 0.0.0.0 if IP is in range

I really hope the author add a switch to make "0.0.0.0" an exception to
the rebind protection so that I can keep enabling rebind protection.




On 2025-07-23 13:00, imnozi at gmail.com wrote:
> Do you need to specify an address to block an FQDN? Whether or not it is correct usage, I've been using, e.g.,
> 
> local=/0-1-x.009418154.xyz/
> 
> for some years to block undesired domains from being resolved. Well, technically dnsmasq returns no address in the answer which serves my purpose just as well: to block access to almost 1.3M undesirable FQDNs. Dnsmasq handles this task with aplomb; but it does balloon to over 100MiB virtual and resident memory.
> 
> Neal
> 
> 
>> 
>> > Proposal  
>> Just like "rebind-localhost-ok" switch, I propose a new switch A or B;
>> 
>> (A) rebind-zeroed-ok
>> This simply tells dnsmasq "Exempt 0.0.0.0 from rebinding checks"
>> 
>> (B) dns-rebind-except=CIDR[,CIDR] (or maybe:
>> dns-rebind-allowed=CIDR[,CIDR])
>> This simply tells...
>> e.g.,
>> stop-dns-rebind
>> dns-rebind-except = 127.0.0.1/32,192.168.7.0/24
>> -> will block any LAN, local and 0 EXCEPT those IPs.  
>> stop-dns-rebind
>> dns-rebind-except = 127.0.0.1/32,0.0.0.0/32
>> -> This I would like to have.  
>> 
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list