On 30/06/2021 10:40, Kevin Darbyshire-Bryant wrote: > As an ‘experiment’ I tried switching from my own local ‘adblocking’ solution > to using an upstream adblocking resolver, eg. cloudflare’s 1.1.1.2 or 1.1.1.3 > service. > > The local adblock solution uses (multiple!) ‘—address/naughtydomain.foo/‘ > lines that cause dnsmasq to return ’NXDOMAIN’ - fair enough. > > Cloudflare (& others I’ve tested) return ‘0.0.0.0’ or ‘::’ instead, not > NXDOMAIN. With rebind protection enabled (--stop-dns-rebind), even with > --rebind-localhost-ok I get log ’spam’ warning of possible rebind attacks due > to the ‘0.0.0.0’ address response. > > I can turn ‘0.0.0.0’ into NXDOMAIN by using --bogus-nxdomain=0.0.0.0 and that > works fine and stops the rebind warnings. However ‘::’ still gets through if > an AAAA is specifically requested. There is no equivalent bogus-nxdomain for > ipv6. > > The dnsmasq manpage (under —address) advised "Note that NULL addresses > [0.0.0.0 & ::] normally work in the same way as localhost, so beware that > clients looking up these names are likely to end up talking to themselves.” > Ideally then 0.0.0.0 & :: would both be turned into NXDOMAIN. > > Should ‘0.0.0.0/32’ be excluded from the rebind checks/accepted by the > ‘—rebind-localhost-ok’ option. It’s currently being caught by a ‘0.0.0.0/8’ > check. >
I looked at the code that determines private addresses for --bogus-priv and rebind: It's a bit unruly for IPv6, so I've rationalised things and included :: and 0.0.0.0 in the --rebind-localhost-ok coverage, which at least avoids the log spam. I wonder if bogus-nxdomain should be extended to IPv6, or we could add another option which is the equivalent of bogus-nxdomain=0.0.0.0,:: Or both. Simon. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss