Patch attached.

On 17.03.20 21:54, Simon Kelley wrote:
>
> On 11/03/2020 07:55, Dominik wrote:
>> Hey Buck,
>>
>> dnsmasq blocks all IPv4 address replies in the "private" subnets when 
>> enabling stop-dns-rebind. For IPv6, it blocks only the IPv4-mapped address 
>> ranges matching said private subnets.
>>
>> Neither ULAs nor LLs (link-locals) are blocked in the IPv6 range. I agree 
>> this should be added.
>>
>> I can provide a patch for this, maybe tomorrow, if this is wanted. However, 
>> I'm afraid it might already be too late for 2.81, cfm. Simon.
> Apologies for that late reply. A patch sometime this week should be fine
> for 2.81.
>
> Simon.
>
>> Best,
>> Dominik
>>
>> Am 11. März 2020 00:47:02 MEZ schrieb buckh...@weibsvolk.org:
>>> I am using dnsmasq version pi-hole-2.80 as embedded in Pi-hole, with my
>>>
>>> router set as its sole upstream server (server=192.168.178.1#53).
>>>
>>> When evaluating DNS rebind protection provided by dnsmasq (by adding 
>>> stop-dns-rebind), I observed that dnsmasq correctly detects and 
>>> suppresses IPv4 answers, but fails to do the same for IPv6 ULA
>>> addresses 
>>> (maybe even for IPv6 in general).
>>>
>>> E.g. "nslookup wpad.fritz.box" from a Windows client results in the 
>>> following log entries:
>>>
>>> 09:58:08 dnsmasq[20063]: query[A] wpad.fritz.box from 192.168.178.200
>>> 09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
>>> 09:58:08 dnsmasq[20063]: possible DNS-rebind attack detected: 
>>> wpad.fritz.box
>>> 09:58:08 dnsmasq[20063]: query[AAAA] wpad.fritz.box from
>>> 192.168.178.200
>>> 09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1
>>> 09:58:08 dnsmasq[20063]: reply wpad.fritz.box is 
>>> fd00::2ba:dcff:feca:fe00
>>>
>>> Shouldn't IPv6 ULA and link-local addresses also be suppressed?
>>> Does dnsmasq exhibit this behaviour by intention, or could this be seen
>>>
>>> as a possible gap in rebind protection?
>>>
>>> Kind regards,
>>>
>>> Buck
>>>
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss@lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss@lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>From f8640ee04cb79cc565ba54d24f1f16148adba0c9 Mon Sep 17 00:00:00 2001
From: DL6ER <dl...@dl6er.de>
Date: Tue, 17 Mar 2020 21:40:24 +0000
Subject: [PATCH] Extend stop-dns-rebind to reject IPv6 link-local (LL) and
 unique local addresses (ULA). We also reject the loopback address if
 rebind-localhost-ok is NOT set.

Signed-off-by: DL6ER <dl...@dl6er.de>
---
 man/dnsmasq.8 |  8 +++++---
 src/rfc1035.c | 28 +++++++++++++++++++++-------
 2 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 52a7df0..2032a37 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -395,11 +395,13 @@ were previously disabled.
 .TP
 .B --stop-dns-rebind
 Reject (and log) addresses from upstream nameservers which are in the
-private IP ranges. This blocks an attack where a browser behind a
-firewall is used to probe machines on the local network.
+private ranges. This blocks an attack where a browser behind a
+firewall is used to probe machines on the local network. For IPv6, the
+private range covers the IPv4-mapped addresses in private space plus
+all link-local (LL) and site-local (ULA) addresses.
 .TP
 .B --rebind-localhost-ok
-Exempt 127.0.0.0/8 from rebinding checks. This address range is
+Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address range is
 returned by realtime black hole servers, so blocking it may disable
 these services.
 .TP 
diff --git a/src/rfc1035.c b/src/rfc1035.c
index f1edc45..fefe63d 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -843,17 +843,31 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 			      if ((flags & F_IPV4) &&
 				  private_net(addr.addr4, !option_bool(OPT_LOCAL_REBIND)))
 				return 1;
-			      
-			      if ((flags & F_IPV6) &&
-				  IN6_IS_ADDR_V4MAPPED(&addr.addr6))
+
+			      /* Block IPv4-mapped IPv6 addresses in private IPv4 address space */
+			      if (flags & F_IPV6)
 				{
-				  struct in_addr v4;
-				  v4.s_addr = ((const uint32_t *) (&addr.addr6))[3];
-				  if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
+				  if (IN6_IS_ADDR_V4MAPPED(&addr.addr6))
+				    {
+				      struct in_addr v4;
+				      v4.s_addr = ((const uint32_t *) (&addr.addr6))[3];
+				      if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
+					return 1;
+				    }
+
+				  /* Check for link-local (LL) and site-local (ULA) IPv6 addresses */
+				  if (IN6_IS_ADDR_LINKLOCAL(&addr.addr6) ||
+				      IN6_IS_ADDR_SITELOCAL(&addr.addr6))
+				    return 1;
+
+				  /* Check for the IPv6 loopback address (::1) when
+				     option rebind-localhost-ok is NOT set */
+				  if (!option_bool(OPT_LOCAL_REBIND) &&
+				      IN6_IS_ADDR_LOOPBACK(&addr.addr6))
 				    return 1;
 				}
 			    }
-			  
+
 #ifdef HAVE_IPSET
 			  if (ipsets && (flags & (F_IPV4 | F_IPV6)))
 			    {
-- 
2.17.1

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to