Check for SERV_NO_REBIND on unqualified domains

Hello,

My home network has a DNS search domain of home.arpa and my machine's dnsmasq
instance is configured with:

        server=/home.arpa/192.168.0.1
        server=//192.168.0.1
        stop-dns-rebind
        rebind-domain-ok=home.arpa
        rebind-domain-ok=// # Match unqualified domains

Querying my router's FQDN works as expected:

        dnsmasq: query[A] gateway.home.arpa from 127.0.0.1
        dnsmasq: forwarded gateway.home.arpa to 192.168.0.1
        dnsmasq: reply gateway.home.arpa is 192.168.0.1

But using an unqualified domain name does not:

        dnsmasq: query[A] gateway from 127.0.0.1
        dnsmasq: forwarded gateway to 192.168.0.1
        dnsmasq: possible DNS-rebind attack detected: gateway

The attached patch addresses this issue by checking for SERV_NO_REBIND when
handling dotless domains.

>From 0460b07108b009cff06e29eac54910ec2e7fafce Mon Sep 17 00:00:00 2001
From: guns <self@sungpae.com>
Date: Mon, 30 Dec 2019 16:34:23 -0600
Subject: [PATCH] Check for SERV_NO_REBIND on unqualified domains

src/forward.c

@@ -125,7 +125,9 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
       {
 	unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6; 
 	*type = SERV_FOR_NODOTS;
-	if (serv->flags & SERV_NO_ADDR)
+	if ((serv->flags & SERV_NO_REBIND) && norebind)
+	  *norebind = 1;
+	else if (serv->flags & SERV_NO_ADDR)
 	  flags = F_NXDOMAIN;
 	else if (serv->flags & SERV_LITERAL_ADDRESS)
 	  {