I am using dnsmasq version pi-hole-2.80 as embedded in Pi-hole, with my router set as its sole upstream server (server=192.168.178.1#53).

When evaluating DNS rebind protection provided by dnsmasq (by adding stop-dns-rebind), I observed that dnsmasq correctly detects and suppresses IPv4 answers, but fails to do the same for IPv6 ULA addresses (maybe even for IPv6 in general).

E.g. "nslookup wpad.fritz.box" from a Windows client results in the following log entries:

09:58:08 dnsmasq[20063]: query[A] wpad.fritz.box from 192.168.178.200
09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
09:58:08 dnsmasq[20063]: possible DNS-rebind attack detected: wpad.fritz.box
09:58:08 dnsmasq[20063]: query[AAAA] wpad.fritz.box from 192.168.178.200
09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
09:58:08 dnsmasq[20063]: reply wpad.fritz.box is fd00::2ba:dcff:feca:fe00

Shouldn't IPv6 ULA and link-local addresses also be suppressed?
Does dnsmasq exhibit this behaviour by intention, or could this be seen as a possible gap in rebind protection?

Kind regards,

Buck



_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to