On 17/03/2020 21:48, Dominik wrote: > Patch attached.
and applied. Thanks. Simon. > > On 17.03.20 21:54, Simon Kelley wrote: >> >> On 11/03/2020 07:55, Dominik wrote: >>> Hey Buck, >>> >>> dnsmasq blocks all IPv4 address replies in the "private" subnets when >>> enabling stop-dns-rebind. For IPv6, it blocks only the IPv4-mapped address >>> ranges matching said private subnets. >>> >>> Neither ULAs nor LLs (link-locals) are blocked in the IPv6 range. I agree >>> this should be added. >>> >>> I can provide a patch for this, maybe tomorrow, if this is wanted. However, >>> I'm afraid it might already be too late for 2.81, cfm. Simon. >> Apologies for that late reply. A patch sometime this week should be fine >> for 2.81. >> >> Simon. >> >>> Best, >>> Dominik >>> >>> Am 11. März 2020 00:47:02 MEZ schrieb buckh...@weibsvolk.org: >>>> I am using dnsmasq version pi-hole-2.80 as embedded in Pi-hole, with my >>>> >>>> router set as its sole upstream server (server=192.168.178.1#53). >>>> >>>> When evaluating DNS rebind protection provided by dnsmasq (by adding >>>> stop-dns-rebind), I observed that dnsmasq correctly detects and >>>> suppresses IPv4 answers, but fails to do the same for IPv6 ULA >>>> addresses >>>> (maybe even for IPv6 in general). >>>> >>>> E.g. "nslookup wpad.fritz.box" from a Windows client results in the >>>> following log entries: >>>> >>>> 09:58:08 dnsmasq[20063]: query[A] wpad.fritz.box from 192.168.178.200 >>>> 09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1 >>>> 09:58:08 dnsmasq[20063]: possible DNS-rebind attack detected: >>>> wpad.fritz.box >>>> 09:58:08 dnsmasq[20063]: query[AAAA] wpad.fritz.box from >>>> 192.168.178.200 >>>> 09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1 >>>> 09:58:08 dnsmasq[20063]: reply wpad.fritz.box is >>>> fd00::2ba:dcff:feca:fe00 >>>> >>>> Shouldn't IPv6 ULA and link-local addresses also be suppressed? >>>> Does dnsmasq exhibit this behaviour by intention, or could this be seen >>>> >>>> as a possible gap in rebind protection? >>>> >>>> Kind regards, >>>> >>>> Buck >>>> >>>> >>>> >>>> _______________________________________________ >>>> Dnsmasq-discuss mailing list >>>> Dnsmasq-discuss@lists.thekelleys.org.uk >>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >>> _______________________________________________ >>> Dnsmasq-discuss mailing list >>> Dnsmasq-discuss@lists.thekelleys.org.uk >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >>> _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss