Re: [Dnsmasq-discuss] blocklists, blocking servers, rebind attacks & general aaarrggh

2021-07-06 Thread Rockwell, Dennis via Dnsmasq-discuss 
Thank you!  This justifies my team following the bleeding edge instead of the 
CentOS package!

Dennis

-Original Message-
From: Simon Kelley 
Date: Monday, July 5, 2021 at 4:21 PM
To: "Rockwell, Dennis" 
Cc: "dnsmasq-discuss@lists.thekelleys.org.uk" 

Subject: Re: [Dnsmasq-discuss] blocklists, blocking servers, rebind attacks & 
general aaarrggh

On 05/07/2021 12:34, Rockwell, Dennis wrote:
> I have a situation for which extending those features would be the exact
> solution.
> 


The code is there at the bleeding edge now.


https://urldefense.com/v3/__https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=5bcca1219af8bad328352d7a656bc9b1e9d61b92__;!!GjvTz_vk!FX14f3sLW88fw88PXbLjvNJ_N6qxKfF6CQUg8xlWke5Ej5JrXdLJzGGV5ELsIn8$
 


Simon.

> Dennis
> 
> On Jul 4, 2021 5:21 PM, Simon Kelley  wrote:
> On 04/07/2021 21:32, Simon Kelley wrote:
>> On 30/06/2021 10:40, Kevin Darbyshire-Bryant wrote:
>>> As an ‘experiment’ I tried switching from my own local ‘adblocking’ 
solution to using an upstream adblocking resolver, eg. cloudflare’s 1.1.1.2 or 
1.1.1.3 service.
>>>
>>> The local adblock solution uses (multiple!) 
‘—address/naughtydomain.foo/‘ lines that cause dnsmasq to return ’NXDOMAIN’ - 
fair enough.
>>>
>>> Cloudflare (& others I’ve tested) return ‘0.0.0.0’ or ‘::’ instead, not 
NXDOMAIN.  With rebind protection enabled (--stop-dns-rebind), even with 
--rebind-localhost-ok I get log ’spam’ warning of possible rebind attacks due 
to the ‘0.0.0.0’ address response.
>>>
>>> I can turn ‘0.0.0.0’ into NXDOMAIN by using --bogus-nxdomain=0.0.0.0 
and that works fine and stops the rebind warnings.  However ‘::’ still gets 
through if an  is specifically requested.  There is no equivalent 
bogus-nxdomain for ipv6.
>>>
>>> The dnsmasq manpage (under —address) advised "Note that NULL addresses 
[0.0.0.0 & ::] normally work in the same way as localhost, so beware that 
clients looking up these names are likely to end up talking to themselves.”  
Ideally then 0.0.0.0 & :: would both be turned into NXDOMAIN.
>>>
>>> Should ‘0.0.0.0/32’ be excluded from the rebind checks/accepted by the 
‘—rebind-localhost-ok’ option.  It’s currently being caught by a ‘0.0.0.0/8’ 
check.
>>>
>> 
>> I looked at the code that determines private addresses for --bogus-priv
>> and rebind: It's a bit unruly for IPv6, so I've rationalised things and
>> included :: and 0.0.0.0 in the --rebind-localhost-ok coverage, which at
>> least avoids the log spam.
>> 
>> 
>> I wonder if bogus-nxdomain should be extended to IPv6, or we could add
>> another option which is the equivalent of
>> 
>> bogus-nxdomain=0.0.0.0,::
>> 
>> Or both.
>> 
>> Simon.
>> 
> 
> AT the least, bogus-nxdomain should be extended to IPv6, that would
> extend --ignore-address too, for free.
> 
> 
> In progress.
> 
> Simon.
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> 
https://urldefense.com/v3/__https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss__;!!GjvTz_vk!G5VhBaG2LcDjkUOkXosk2wo1PHeuWlbg5rEhJreyBTz0RI4-Cn81DdAnrqJqq6o$
> 
<https://urldefense.com/v3/__https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss__;!!GjvTz_vk!G5VhBaG2LcDjkUOkXosk2wo1PHeuWlbg5rEhJreyBTz0RI4-Cn81DdAnrqJqq6o$>
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] blocklists, blocking servers, rebind attacks & general aaarrggh

2021-07-05 Thread Simon Kelley 
On 05/07/2021 12:34, Rockwell, Dennis wrote:
> I have a situation for which extending those features would be the exact
> solution.
> 


The code is there at the bleeding edge now.

https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=5bcca1219af8bad328352d7a656bc9b1e9d61b92


Simon.

> Dennis
> 
> On Jul 4, 2021 5:21 PM, Simon Kelley  wrote:
> On 04/07/2021 21:32, Simon Kelley wrote:
>> On 30/06/2021 10:40, Kevin Darbyshire-Bryant wrote:
>>> As an ‘experiment’ I tried switching from my own local ‘adblocking’ 
>>> solution to using an upstream adblocking resolver, eg. cloudflare’s 1.1.1.2 
>>> or 1.1.1.3 service.
>>>
>>> The local adblock solution uses (multiple!) ‘—address/naughtydomain.foo/‘ 
>>> lines that cause dnsmasq to return ’NXDOMAIN’ - fair enough.
>>>
>>> Cloudflare (& others I’ve tested) return ‘0.0.0.0’ or ‘::’ instead, not 
>>> NXDOMAIN.  With rebind protection enabled (--stop-dns-rebind), even with 
>>> --rebind-localhost-ok I get log ’spam’ warning of possible rebind attacks 
>>> due to the ‘0.0.0.0’ address response.
>>>
>>> I can turn ‘0.0.0.0’ into NXDOMAIN by using --bogus-nxdomain=0.0.0.0 and 
>>> that works fine and stops the rebind warnings.  However ‘::’ still gets 
>>> through if an  is specifically requested.  There is no equivalent 
>>> bogus-nxdomain for ipv6.
>>>
>>> The dnsmasq manpage (under —address) advised "Note that NULL addresses 
>>> [0.0.0.0 & ::] normally work in the same way as localhost, so beware that 
>>> clients looking up these names are likely to end up talking to themselves.” 
>>>  Ideally then 0.0.0.0 & :: would both be turned into NXDOMAIN.
>>>
>>> Should ‘0.0.0.0/32’ be excluded from the rebind checks/accepted by the 
>>> ‘—rebind-localhost-ok’ option.  It’s currently being caught by a 
>>> ‘0.0.0.0/8’ check.
>>>
>> 
>> I looked at the code that determines private addresses for --bogus-priv
>> and rebind: It's a bit unruly for IPv6, so I've rationalised things and
>> included :: and 0.0.0.0 in the --rebind-localhost-ok coverage, which at
>> least avoids the log spam.
>> 
>> 
>> I wonder if bogus-nxdomain should be extended to IPv6, or we could add
>> another option which is the equivalent of
>> 
>> bogus-nxdomain=0.0.0.0,::
>> 
>> Or both.
>> 
>> Simon.
>> 
> 
> AT the least, bogus-nxdomain should be extended to IPv6, that would
> extend --ignore-address too, for free.
> 
> 
> In progress.
> 
> Simon.
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> https://urldefense.com/v3/__https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss__;!!GjvTz_vk!G5VhBaG2LcDjkUOkXosk2wo1PHeuWlbg5rEhJreyBTz0RI4-Cn81DdAnrqJqq6o$
> 
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] blocklists, blocking servers, rebind attacks & general aaarrggh

2021-07-05 Thread Simon Kelley 
On 05/07/2021 09:20, Kevin Darbyshire-Bryant wrote:
> 
>> I looked at the code that determines private addresses for --bogus-priv
>> and rebind: It's a bit unruly for IPv6, so I've rationalised things and
>> included :: and 0.0.0.0 in the --rebind-localhost-ok coverage, which at
>> least avoids the log spam.
>>
>>
>> I wonder if bogus-nxdomain should be extended to IPv6, or we could add
>> another option which is the equivalent of
>>
>> bogus-nxdomain=0.0.0.0,::
>>
>> Or both.
> 
> Thanks Simon, definitely looks more rational, will give it a try.
> 
> Incidentally, is there a typo in a92c6d77dcd475579c39bdff141f5eb128e2a048 ? - 
> I think you mean to de-ref the pointer, not compare the pointer.
> 
> 
> diff --git a/src/domain-match.c b/src/domain-match.c
> index f82bbdb..97ae9c5 100644
> --- a/src/domain-match.c
> +++ b/src/domain-match.c
> @@ -591,7 +591,7 @@ int add_update_server(int flags,
>else if (*domain == '*')
>  {
>domain++;
> -  if (domain != 0)
> +  if (*domain)
> flags |= SERV_WILDCARD;
>  }
> 
> 

Thanks for catching that. Patch applied.


Simon.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] blocklists, blocking servers, rebind attacks & general aaarrggh

2021-07-05 Thread Rockwell, Dennis via Dnsmasq-discuss 
I have a situation for which extending those features would be the exact 
solution.

Dennis

On Jul 4, 2021 5:21 PM, Simon Kelley  wrote:
On 04/07/2021 21:32, Simon Kelley wrote:
> On 30/06/2021 10:40, Kevin Darbyshire-Bryant wrote:
>> As an ‘experiment’ I tried switching from my own local ‘adblocking’ solution 
>> to using an upstream adblocking resolver, eg. cloudflare’s 1.1.1.2 or 
>> 1.1.1.3 service.
>>
>> The local adblock solution uses (multiple!) ‘—address/naughtydomain.foo/‘ 
>> lines that cause dnsmasq to return ’NXDOMAIN’ - fair enough.
>>
>> Cloudflare (& others I’ve tested) return ‘0.0.0.0’ or ‘::’ instead, not 
>> NXDOMAIN.  With rebind protection enabled (--stop-dns-rebind), even with 
>> --rebind-localhost-ok I get log ’spam’ warning of possible rebind attacks 
>> due to the ‘0.0.0.0’ address response.
>>
>> I can turn ‘0.0.0.0’ into NXDOMAIN by using --bogus-nxdomain=0.0.0.0 and 
>> that works fine and stops the rebind warnings.  However ‘::’ still gets 
>> through if an  is specifically requested.  There is no equivalent 
>> bogus-nxdomain for ipv6.
>>
>> The dnsmasq manpage (under —address) advised "Note that NULL addresses 
>> [0.0.0.0 & ::] normally work in the same way as localhost, so beware that 
>> clients looking up these names are likely to end up talking to themselves.”  
>> Ideally then 0.0.0.0 & :: would both be turned into NXDOMAIN.
>>
>> Should ‘0.0.0.0/32’ be excluded from the rebind checks/accepted by the 
>> ‘—rebind-localhost-ok’ option.  It’s currently being caught by a ‘0.0.0.0/8’ 
>> check.
>>
>
> I looked at the code that determines private addresses for --bogus-priv
> and rebind: It's a bit unruly for IPv6, so I've rationalised things and
> included :: and 0.0.0.0 in the --rebind-localhost-ok coverage, which at
> least avoids the log spam.
>
>
> I wonder if bogus-nxdomain should be extended to IPv6, or we could add
> another option which is the equivalent of
>
> bogus-nxdomain=0.0.0.0,::
>
> Or both.
>
> Simon.
>

AT the least, bogus-nxdomain should be extended to IPv6, that would
extend --ignore-address too, for free.


In progress.

Simon.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://urldefense.com/v3/__https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss__;!!GjvTz_vk!G5VhBaG2LcDjkUOkXosk2wo1PHeuWlbg5rEhJreyBTz0RI4-Cn81DdAnrqJqq6o$
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] blocklists, blocking servers, rebind attacks & general aaarrggh

2021-07-04 Thread Simon Kelley 
On 04/07/2021 21:32, Simon Kelley wrote:
> On 30/06/2021 10:40, Kevin Darbyshire-Bryant wrote:
>> As an ‘experiment’ I tried switching from my own local ‘adblocking’ solution 
>> to using an upstream adblocking resolver, eg. cloudflare’s 1.1.1.2 or 
>> 1.1.1.3 service.
>>
>> The local adblock solution uses (multiple!) ‘—address/naughtydomain.foo/‘ 
>> lines that cause dnsmasq to return ’NXDOMAIN’ - fair enough.
>>
>> Cloudflare (& others I’ve tested) return ‘0.0.0.0’ or ‘::’ instead, not 
>> NXDOMAIN.  With rebind protection enabled (--stop-dns-rebind), even with 
>> --rebind-localhost-ok I get log ’spam’ warning of possible rebind attacks 
>> due to the ‘0.0.0.0’ address response.
>>
>> I can turn ‘0.0.0.0’ into NXDOMAIN by using --bogus-nxdomain=0.0.0.0 and 
>> that works fine and stops the rebind warnings.  However ‘::’ still gets 
>> through if an  is specifically requested.  There is no equivalent 
>> bogus-nxdomain for ipv6.
>>
>> The dnsmasq manpage (under —address) advised "Note that NULL addresses 
>> [0.0.0.0 & ::] normally work in the same way as localhost, so beware that 
>> clients looking up these names are likely to end up talking to themselves.”  
>> Ideally then 0.0.0.0 & :: would both be turned into NXDOMAIN.
>>
>> Should ‘0.0.0.0/32’ be excluded from the rebind checks/accepted by the 
>> ‘—rebind-localhost-ok’ option.  It’s currently being caught by a ‘0.0.0.0/8’ 
>> check.
>>
> 
> I looked at the code that determines private addresses for --bogus-priv
> and rebind: It's a bit unruly for IPv6, so I've rationalised things and
> included :: and 0.0.0.0 in the --rebind-localhost-ok coverage, which at
> least avoids the log spam.
> 
> 
> I wonder if bogus-nxdomain should be extended to IPv6, or we could add
> another option which is the equivalent of
> 
> bogus-nxdomain=0.0.0.0,::
> 
> Or both.
> 
> Simon.
> 

AT the least, bogus-nxdomain should be extended to IPv6, that would
extend --ignore-address too, for free.


In progress.

Simon.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] blocklists, blocking servers, rebind attacks & general aaarrggh

2021-07-04 Thread Simon Kelley 
On 30/06/2021 10:40, Kevin Darbyshire-Bryant wrote:
> As an ‘experiment’ I tried switching from my own local ‘adblocking’ solution 
> to using an upstream adblocking resolver, eg. cloudflare’s 1.1.1.2 or 1.1.1.3 
> service.
> 
> The local adblock solution uses (multiple!) ‘—address/naughtydomain.foo/‘ 
> lines that cause dnsmasq to return ’NXDOMAIN’ - fair enough.
> 
> Cloudflare (& others I’ve tested) return ‘0.0.0.0’ or ‘::’ instead, not 
> NXDOMAIN.  With rebind protection enabled (--stop-dns-rebind), even with 
> --rebind-localhost-ok I get log ’spam’ warning of possible rebind attacks due 
> to the ‘0.0.0.0’ address response.
> 
> I can turn ‘0.0.0.0’ into NXDOMAIN by using --bogus-nxdomain=0.0.0.0 and that 
> works fine and stops the rebind warnings.  However ‘::’ still gets through if 
> an  is specifically requested.  There is no equivalent bogus-nxdomain for 
> ipv6.
> 
> The dnsmasq manpage (under —address) advised "Note that NULL addresses 
> [0.0.0.0 & ::] normally work in the same way as localhost, so beware that 
> clients looking up these names are likely to end up talking to themselves.”  
> Ideally then 0.0.0.0 & :: would both be turned into NXDOMAIN.
> 
> Should ‘0.0.0.0/32’ be excluded from the rebind checks/accepted by the 
> ‘—rebind-localhost-ok’ option.  It’s currently being caught by a ‘0.0.0.0/8’ 
> check.
> 

I looked at the code that determines private addresses for --bogus-priv
and rebind: It's a bit unruly for IPv6, so I've rationalised things and
included :: and 0.0.0.0 in the --rebind-localhost-ok coverage, which at
least avoids the log spam.


I wonder if bogus-nxdomain should be extended to IPv6, or we could add
another option which is the equivalent of

bogus-nxdomain=0.0.0.0,::

Or both.

Simon.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] blocklists, blocking servers, rebind attacks & general aaarrggh

2021-06-30 Thread Kevin Darbyshire-Bryant 
As an ‘experiment’ I tried switching from my own local ‘adblocking’ solution to 
using an upstream adblocking resolver, eg. cloudflare’s 1.1.1.2 or 1.1.1.3 
service.

The local adblock solution uses (multiple!) ‘—address/naughtydomain.foo/‘ lines 
that cause dnsmasq to return ’NXDOMAIN’ - fair enough.

Cloudflare (& others I’ve tested) return ‘0.0.0.0’ or ‘::’ instead, not 
NXDOMAIN.  With rebind protection enabled (--stop-dns-rebind), even with 
--rebind-localhost-ok I get log ’spam’ warning of possible rebind attacks due 
to the ‘0.0.0.0’ address response.

I can turn ‘0.0.0.0’ into NXDOMAIN by using --bogus-nxdomain=0.0.0.0 and that 
works fine and stops the rebind warnings.  However ‘::’ still gets through if 
an  is specifically requested.  There is no equivalent bogus-nxdomain for 
ipv6.

The dnsmasq manpage (under —address) advised "Note that NULL addresses [0.0.0.0 
& ::] normally work in the same way as localhost, so beware that clients 
looking up these names are likely to end up talking to themselves.”  Ideally 
then 0.0.0.0 & :: would both be turned into NXDOMAIN.

Should ‘0.0.0.0/32’ be excluded from the rebind checks/accepted by the 
‘—rebind-localhost-ok’ option.  It’s currently being caught by a ‘0.0.0.0/8’ 
check.

Cheers,

Kevin D-B

gpg: 012C ACB2 28C6 C53E 9775  9123 B3A2 389B 9DE2 334A



signature.asc
Description: Message signed with OpenPGP
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss