From a914d0aa6a02b06c28d823b5d66eefa011c66e5a Mon Sep 17 00:00:00 2001 From: Sung Pae Date: Mon, 30 Dec 2019 17:07:37 -0600 Subject: [PATCH] Check for SERV_NO_REBIND on unqualified domains Hello, My home network has a DNS search domain of home.arpa and my machine's dnsmasq instance is configured with: server=/home.arpa/192.168.0.1 server=//192.168.0.1 stop-dns-rebind rebind-domain-ok=home.arpa rebind-domain-ok=// # Match unqualified domains Querying my router's FQDN works as expected: dnsmasq: query[A] gateway.home.arpa from 127.0.0.1 dnsmasq: forwarded gateway.home.arpa to 192.168.0.1 dnsmasq: reply gateway.home.arpa is 192.168.0.1 But using an unqualified domain name does not: dnsmasq: query[A] gateway from 127.0.0.1 dnsmasq: forwarded gateway to 192.168.0.1 dnsmasq: possible DNS-rebind attack detected: gateway The attached patch addresses this issue by checking for SERV_NO_REBIND when handling dotless domains. >From 0460b07108b009cff06e29eac54910ec2e7fafce Mon Sep 17 00:00:00 2001 From: guns Date: Mon, 30 Dec 2019 16:34:23 -0600 Subject: [PATCH] Check for SERV_NO_REBIND on unqualified domains --- src/forward.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/forward.c b/src/forward.c index 783d247..ed9c8f6 100644 --- a/src/forward.c +++ b/src/forward.c @@ -125,7 +125,9 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned { unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6; *type = SERV_FOR_NODOTS; - if (serv->flags & SERV_NO_ADDR) + if ((serv->flags & SERV_NO_REBIND) && norebind) + *norebind = 1; + else if (serv->flags & SERV_NO_ADDR) flags = F_NXDOMAIN; else if (serv->flags & SERV_LITERAL_ADDRESS) {