Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Extend stop-dns-rebind to reject IPv6 LL and ULA addresses.

Browse Source 
We also reject the loopback address if rebind-localhost-ok is NOT set.

Signed-off-by: DL6ER <dl6er@dl6er.de>
This commit is contained in:
Dominik DL6ER
2020-03-17 22:59:17 +00:00
committed by Simon Kelley
parent 63ed917ad9
commit e7ee1aa093
2 changed files with 26 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
man/dnsmasq.8
View File

@@ -395,11 +395,13 @@ were previously disabled.
.TP
.B --stop-dns-rebind
Reject (and log) addresses from upstream nameservers which are in the
private IP ranges. This blocks an attack where a browser behind a
firewall is used to probe machines on the local network.
private ranges. This blocks an attack where a browser behind a
firewall is used to probe machines on the local network. For IPv6, the
private range covers the IPv4-mapped addresses in private space plus
all link-local (LL) and site-local (ULA) addresses.
.TP
.B --rebind-localhost-ok
Exempt 127.0.0.0/8 from rebinding checks. This address range is
Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address range is
returned by realtime black hole servers, so blocking it may disable
these services.
.TP