[Dnsmasq-discuss] New Proposal: stop-dns-rebind is blocking 0.0.0.0 from upstream

Fri Aug 1 19:27:40 UTC 2025

Hi!

Address 0.0.0.0 is equivalent to 127.0.0.1, when used by client socket. 
At least on Linux systems. You can ping 0.0.0.0 or curl 0.0.0.0 and it 
does something.

That might allow remote page to attempt localhost HTTP request, if its 
name resolves to 0.0.0.0. Unless browsers explicitly block that, that 
could be dangerous and could be exploited to access local resources from 
remote sites.

There is already --rebind-localhost-ok. The meaning is somehow hidden, 
but it seems that will allow 0.0.0.0 address just fine. Maybe just 
manual page should mention that in addition.

0.0.0.0/8 is accepted when localhost is allowed, but not mentioned in 
the man page. I think it is good to prevent it by default. IPv6 :: is 
handled different way by the system, but would be allowed with localhost 
too.

This were added in commit 4558c26f, version 2.86.

But something like --rebind-net-ok=192.168.0.0/20 might be useful 
sometime.  It seems most common cases are handled already however.

Hope that helps,

Petr

On 23/07/2025 11:41, moistice at riseup.net wrote:
>> Problem
> When you use adblock dns as upstream with a combination with dnsmasq
> like below, and when the upstream return 0.0.0.0 as an answer, dnsmasq
> block it automatically if the user have "stop-dns-rebind" in the config.
>
> User -> DNSmasq -> DNSCrypt(Filters Bad IP & CNAMEs) -> NSANet
> User: what is www.google.com
> DNSmasq: Yeah, what is www.google.com
> DNSCrypt: Google IPs are blocked, so returning 0.0.0.0
> (blocked_query_response = 'a:0.0.0.0')
> DNSmasq: Upstream returned 0.0.0.0, nulling it out
> User: Whaaat??
>
> This is undesired - I want to block 192.168.x.x/169.254.x.x/255.x ranges
> from the internet but not 0.0.0.0. "0.0.0.0" is widely used by
> HOSTS/AdblockDNS to block the FQDN.
>
>> Proposal
> Just like "rebind-localhost-ok" switch, I propose a new switch A or B;
>
> (A) rebind-zeroed-ok
> This simply tells dnsmasq "Exempt 0.0.0.0 from rebinding checks"
>
> (B) dns-rebind-except=CIDR[,CIDR] (or maybe:
> dns-rebind-allowed=CIDR[,CIDR])
> This simply tells...
> e.g.,
> stop-dns-rebind
> dns-rebind-except = 127.0.0.1/32,192.168.7.0/24
> -> will block any LAN, local and 0 EXCEPT those IPs.
> stop-dns-rebind
> dns-rebind-except = 127.0.0.1/32,0.0.0.0/32
> -> This I would like to have.
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
-- 
Petr Menšík
Senior Software Engieer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB