Hi!
Address 0.0.0.0 is equivalent to 127.0.0.1, when used by client socket.
At least on Linux systems. You can ping 0.0.0.0 or curl 0.0.0.0 and it
does something.
That might allow remote page to attempt localhost HTTP request, if its
name resolves to 0.0.0.0. Unless browsers explicitly block that, that
could be dangerous and could be exploited to access local resources from
remote sites.
There is already --rebind-localhost-ok. The meaning is somehow hidden,
but it seems that will allow 0.0.0.0 address just fine. Maybe just
manual page should mention that in addition.
0.0.0.0/8 is accepted when localhost is allowed, but not mentioned in
the man page. I think it is good to prevent it by default. IPv6 :: is
handled different way by the system, but would be allowed with localhost
too.
This were added in commit 4558c26f, version 2.86.
But something like --rebind-net-ok=192.168.0.0/20 might be useful
sometime. It seems most common cases are handled already however.
Hope that helps,
Petr
On 23/07/2025 11:41, [email protected] wrote:
Problem
When you use adblock dns as upstream with a combination with dnsmasq
like below, and when the upstream return 0.0.0.0 as an answer, dnsmasq
block it automatically if the user have "stop-dns-rebind" in the config.
User -> DNSmasq -> DNSCrypt(Filters Bad IP & CNAMEs) -> NSANet
User: what is www.google.com
DNSmasq: Yeah, what is www.google.com
DNSCrypt: Google IPs are blocked, so returning 0.0.0.0
(blocked_query_response = 'a:0.0.0.0')
DNSmasq: Upstream returned 0.0.0.0, nulling it out
User: Whaaat??
This is undesired - I want to block 192.168.x.x/169.254.x.x/255.x ranges
from the internet but not 0.0.0.0. "0.0.0.0" is widely used by
HOSTS/AdblockDNS to block the FQDN.
Proposal
Just like "rebind-localhost-ok" switch, I propose a new switch A or B;
(A) rebind-zeroed-ok
This simply tells dnsmasq "Exempt 0.0.0.0 from rebinding checks"
(B) dns-rebind-except=CIDR[,CIDR] (or maybe:
dns-rebind-allowed=CIDR[,CIDR])
This simply tells...
e.g.,
stop-dns-rebind
dns-rebind-except = 127.0.0.1/32,192.168.7.0/24
-> will block any LAN, local and 0 EXCEPT those IPs.
stop-dns-rebind
dns-rebind-except = 127.0.0.1/32,0.0.0.0/32
-> This I would like to have.
_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
--
Petr Menšík
Senior Software Engieer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
