Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Extend stop-dns-rebind to reject IPv6 LL and ULA addresses.

Browse Source 
We also reject the loopback address if rebind-localhost-ok is NOT set.

Signed-off-by: DL6ER <dl6er@dl6er.de>
This commit is contained in:
Dominik DL6ER
2020-03-17 22:59:17 +00:00
committed by Simon Kelley
parent 63ed917ad9
commit e7ee1aa093
2 changed files with 26 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
man/dnsmasq.8
View File

@@ -395,11 +395,13 @@ were previously disabled.
.TP .TP
.B --stop-dns-rebind .B --stop-dns-rebind
Reject (and log) addresses from upstream nameservers which are in the Reject (and log) addresses from upstream nameservers which are in the
private IP ranges. This blocks an attack where a browser behind a private ranges. This blocks an attack where a browser behind a
firewall is used to probe machines on the local network. firewall is used to probe machines on the local network. For IPv6, the
private range covers the IPv4-mapped addresses in private space plus
all link-local (LL) and site-local (ULA) addresses.
.TP .TP
.B --rebind-localhost-ok .B --rebind-localhost-ok
Exempt 127.0.0.0/8 from rebinding checks. This address range is Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address range is
returned by realtime black hole servers, so blocking it may disable returned by realtime black hole servers, so blocking it may disable
these services. these services.
.TP .TP

24
src/rfc1035.c
View File

@@ -844,12 +844,26 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
private_net(addr.addr4, !option_bool(OPT_LOCAL_REBIND))) private_net(addr.addr4, !option_bool(OPT_LOCAL_REBIND)))
return 1; return 1;
if ((flags & F_IPV6) && /* Block IPv4-mapped IPv6 addresses in private IPv4 address space */
IN6_IS_ADDR_V4MAPPED(&addr.addr6)) if (flags & F_IPV6)
{ {
struct in_addr v4; if (IN6_IS_ADDR_V4MAPPED(&addr.addr6))
v4.s_addr = ((const uint32_t *) (&addr.addr6))[3]; {
if (private_net(v4, !option_bool(OPT_LOCAL_REBIND))) struct in_addr v4;
v4.s_addr = ((const uint32_t *) (&addr.addr6))[3];
if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
return 1;
}
/* Check for link-local (LL) and site-local (ULA) IPv6 addresses */
if (IN6_IS_ADDR_LINKLOCAL(&addr.addr6) ||
IN6_IS_ADDR_SITELOCAL(&addr.addr6))
return 1;
/* Check for the IPv6 loopback address (::1) when
option rebind-localhost-ok is NOT set */
if (!option_bool(OPT_LOCAL_REBIND) &&
IN6_IS_ADDR_LOOPBACK(&addr.addr6))
return 1; return 1;
} }
} }