On 11/03/2020 07:55, Dominik wrote: > Hey Buck, > > dnsmasq blocks all IPv4 address replies in the "private" subnets when > enabling stop-dns-rebind. For IPv6, it blocks only the IPv4-mapped address > ranges matching said private subnets. > > Neither ULAs nor LLs (link-locals) are blocked in the IPv6 range. I agree > this should be added. > > I can provide a patch for this, maybe tomorrow, if this is wanted. However, > I'm afraid it might already be too late for 2.81, cfm. Simon.
Apologies for that late reply. A patch sometime this week should be fine for 2.81. Simon. > > Best, > Dominik > > Am 11. März 2020 00:47:02 MEZ schrieb buckh...@weibsvolk.org: >> I am using dnsmasq version pi-hole-2.80 as embedded in Pi-hole, with my >> >> router set as its sole upstream server (server=192.168.178.1#53). >> >> When evaluating DNS rebind protection provided by dnsmasq (by adding >> stop-dns-rebind), I observed that dnsmasq correctly detects and >> suppresses IPv4 answers, but fails to do the same for IPv6 ULA >> addresses >> (maybe even for IPv6 in general). >> >> E.g. "nslookup wpad.fritz.box" from a Windows client results in the >> following log entries: >> >> 09:58:08 dnsmasq[20063]: query[A] wpad.fritz.box from 192.168.178.200 >> 09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1 >> 09:58:08 dnsmasq[20063]: possible DNS-rebind attack detected: >> wpad.fritz.box >> 09:58:08 dnsmasq[20063]: query[AAAA] wpad.fritz.box from >> 192.168.178.200 >> 09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1 >> 09:58:08 dnsmasq[20063]: reply wpad.fritz.box is >> fd00::2ba:dcff:feca:fe00 >> >> Shouldn't IPv6 ULA and link-local addresses also be suppressed? >> Does dnsmasq exhibit this behaviour by intention, or could this be seen >> >> as a possible gap in rebind protection? >> >> Kind regards, >> >> Buck >> >> >> >> _______________________________________________ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss