> Short Summary DNSMASQ failed to block the domain when queried by an internal CNAME loop, result in overwritten cache & not obeying rules anymore.
> Summary Many people, including some famous ad-blockers, use DNSMASQ to block unwanted domains and its subdomains. They expect the software to actually block the request. However, it was found that DNSMASQ failed to block the domain if it is pre-requested by CNAME via other FQDN. This may result in information and privacy leakage. > Steps to Reproduce 1. Add the following to your dnsmasq.conf or its conf-dird config file. (The 'address=/line-apps.com/#' line is important here) ==== cache-rr=NS cache-size=8000 dnssec-no-timecheck domain-needed filter-AAAA filter-rr=AAAA,NS,MX,TXT,HTTPS,PTR,SRV filterwin2k local-ttl=3600 log-facility=/var/log/dnsmasq.log log-queries min-cache-ttl=3600 address=/line-apps.com/# ==== In my case; conf-dir=/git_mirror/dnsbl,*.conf /git_mirror/dnsbl/naver.conf has: address=/line-apps-beta.com/# address=/line-apps-rc.com/# address=/line-apps.com/# address=/line-beta.me/# address=/line-cdn.net/# address=/line-scdn.net/# 2. As root, Run "systemctl restart dnsmasq" 3. Run "dig ldblog-image-cdn.line-apps.com A", the answer SHOULD be "0.0.0.0", which is correct. 4. Next, Run "dig livedoor.blogimg.jp A", the answer is CNAMEd akamai.net IP address, which is correct. 5. Now, Run "dig ldblog-image-cdn.line-apps.com A" again. > Expected Result The answer of "dig ldblog-image-cdn.line-apps.com A" SHOULD be "0.0.0.0" because of address=/line-apps.com/# rule. > Actual Answer ldblog-image-cdn.line-apps.com. 3567 IN CNAME blgimg.line-apps.com.akadns.net. blgimg.line-apps.com.akadns.net. 3567 IN CNAME livedoor.edgesuite.net. livedoor.edgesuite.net. 3567 IN CNAME a1887.w73.akamai.net. a1887.w73.akamai.net. 3567 IN A 2.17.251.20 a1887.w73.akamai.net. 3567 IN A 23.216.134.101 It is returning CNAMEd IP address and ignoring the address=/line-apps.com/# rule. > Expecting Solution - The intenal CNAME request SHOULD NOT overwrite the cache. - When the user query A/AAAA, DNSMASQ should look the cache with appropriate query type, like: [ Cache ] ldblog-image-cdn.line-apps.com | A | 0.0.0.0 (By Rule) ldblog-image-cdn.line-apps.com | AAAA | :: (By Rule) ldblog-image-cdn.line-apps.com | CNAME(AutoQueried) | blgimg.line-apps.com.akadns.net. ldblog-image-cdn.line-apps.com | CNAME | blgimg.line-apps.com.akadns.net. "dig ldblog-image-cdn.line-apps.com A" must return "0.0.0.0", "livedoor.blogimg.jp A" -CNAME-> "ldblog-image-cdn.line-apps.com|INTERNAL" --> blgimg.line-apps.com.akadns.net _______________________________________________ Dnsmasq-discuss mailing list [email protected] https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
