On 05/07/2021 12:34, Rockwell, Dennis wrote: > I have a situation for which extending those features would be the exact > solution. >
The code is there at the bleeding edge now. https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=5bcca1219af8bad328352d7a656bc9b1e9d61b92 Simon. > Dennis > > On Jul 4, 2021 5:21 PM, Simon Kelley <si...@thekelleys.org.uk> wrote: > On 04/07/2021 21:32, Simon Kelley wrote: >> On 30/06/2021 10:40, Kevin Darbyshire-Bryant wrote: >>> As an ‘experiment’ I tried switching from my own local ‘adblocking’ >>> solution to using an upstream adblocking resolver, eg. cloudflare’s 1.1.1.2 >>> or 1.1.1.3 service. >>> >>> The local adblock solution uses (multiple!) ‘—address/naughtydomain.foo/‘ >>> lines that cause dnsmasq to return ’NXDOMAIN’ - fair enough. >>> >>> Cloudflare (& others I’ve tested) return ‘0.0.0.0’ or ‘::’ instead, not >>> NXDOMAIN. With rebind protection enabled (--stop-dns-rebind), even with >>> --rebind-localhost-ok I get log ’spam’ warning of possible rebind attacks >>> due to the ‘0.0.0.0’ address response. >>> >>> I can turn ‘0.0.0.0’ into NXDOMAIN by using --bogus-nxdomain=0.0.0.0 and >>> that works fine and stops the rebind warnings. However ‘::’ still gets >>> through if an AAAA is specifically requested. There is no equivalent >>> bogus-nxdomain for ipv6. >>> >>> The dnsmasq manpage (under —address) advised "Note that NULL addresses >>> [0.0.0.0 & ::] normally work in the same way as localhost, so beware that >>> clients looking up these names are likely to end up talking to themselves.” >>> Ideally then 0.0.0.0 & :: would both be turned into NXDOMAIN. >>> >>> Should ‘0.0.0.0/32’ be excluded from the rebind checks/accepted by the >>> ‘—rebind-localhost-ok’ option. It’s currently being caught by a >>> ‘0.0.0.0/8’ check. >>> >> >> I looked at the code that determines private addresses for --bogus-priv >> and rebind: It's a bit unruly for IPv6, so I've rationalised things and >> included :: and 0.0.0.0 in the --rebind-localhost-ok coverage, which at >> least avoids the log spam. >> >> >> I wonder if bogus-nxdomain should be extended to IPv6, or we could add >> another option which is the equivalent of >> >> bogus-nxdomain=0.0.0.0,:: >> >> Or both. >> >> Simon. >> > > AT the least, bogus-nxdomain should be extended to IPv6, that would > extend --ignore-address too, for free. > > > In progress. > > Simon. > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://urldefense.com/v3/__https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss__;!!GjvTz_vk!G5VhBaG2LcDjkUOkXosk2wo1PHeuWlbg5rEhJreyBTz0RI4-Cn81DdAnrqJqq6o$ > <https://urldefense.com/v3/__https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss__;!!GjvTz_vk!G5VhBaG2LcDjkUOkXosk2wo1PHeuWlbg5rEhJreyBTz0RI4-Cn81DdAnrqJqq6o$> > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
