On Wed, 23 Jul 2025 09:41:24 +0000 [email protected] wrote: > > Problem > When you use adblock dns as upstream with a combination with dnsmasq > like below, and when the upstream return 0.0.0.0 as an answer, dnsmasq > block it automatically if the user have "stop-dns-rebind" in the config. > > User -> DNSmasq -> DNSCrypt(Filters Bad IP & CNAMEs) -> NSANet > User: what is www.google.com > DNSmasq: Yeah, what is www.google.com > DNSCrypt: Google IPs are blocked, so returning 0.0.0.0 > (blocked_query_response = 'a:0.0.0.0') > DNSmasq: Upstream returned 0.0.0.0, nulling it out > User: Whaaat?? > > This is undesired - I want to block 192.168.x.x/169.254.x.x/255.x ranges > from the internet but not 0.0.0.0. "0.0.0.0" is widely used by > HOSTS/AdblockDNS to block the FQDN.
Do you need to specify an address to block an FQDN? Whether or not it is correct usage, I've been using, e.g., local=/0-1-x.009418154.xyz/ for some years to block undesired domains from being resolved. Well, technically dnsmasq returns no address in the answer which serves my purpose just as well: to block access to almost 1.3M undesirable FQDNs. Dnsmasq handles this task with aplomb; but it does balloon to over 100MiB virtual and resident memory. Neal > > > Proposal > Just like "rebind-localhost-ok" switch, I propose a new switch A or B; > > (A) rebind-zeroed-ok > This simply tells dnsmasq "Exempt 0.0.0.0 from rebinding checks" > > (B) dns-rebind-except=CIDR[,CIDR] (or maybe: > dns-rebind-allowed=CIDR[,CIDR]) > This simply tells... > e.g., > stop-dns-rebind > dns-rebind-except = 127.0.0.1/32,192.168.7.0/24 > -> will block any LAN, local and 0 EXCEPT those IPs. > stop-dns-rebind > dns-rebind-except = 127.0.0.1/32,0.0.0.0/32 > -> This I would like to have. > > _______________________________________________ > Dnsmasq-discuss mailing list > [email protected] > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss _______________________________________________ Dnsmasq-discuss mailing list [email protected] https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
