commit a914d0aa6a02b06c28d823b5d66eefa011c66e5a
author Sung Pae <self@sungpae.com> Mon Dec 30 17:07:37 2019 -0600
committer Simon Kelley <simon@thekelleys.org.uk> Sun Jan 05 22:07:01 2020 +0000
tree 71b0194621606ece2afc6c47bc4268b35a25a05d
parent 91102ad5ebf5f618dd1879aacb0a84eb2b1d82b2

Check for SERV_NO_REBIND on unqualified domains

Hello,

My home network has a DNS search domain of home.arpa and my machine's dnsmasq
instance is configured with:

        server=/home.arpa/192.168.0.1
        server=//192.168.0.1
        stop-dns-rebind
        rebind-domain-ok=home.arpa
        rebind-domain-ok=// # Match unqualified domains

Querying my router's FQDN works as expected:

        dnsmasq: query[A] gateway.home.arpa from 127.0.0.1
        dnsmasq: forwarded gateway.home.arpa to 192.168.0.1
        dnsmasq: reply gateway.home.arpa is 192.168.0.1

But using an unqualified domain name does not:

        dnsmasq: query[A] gateway from 127.0.0.1
        dnsmasq: forwarded gateway to 192.168.0.1
        dnsmasq: possible DNS-rebind attack detected: gateway

The attached patch addresses this issue by checking for SERV_NO_REBIND when
handling dotless domains.

>From 0460b07108b009cff06e29eac54910ec2e7fafce Mon Sep 17 00:00:00 2001
From: guns <self@sungpae.com>
Date: Mon, 30 Dec 2019 16:34:23 -0600
Subject: [PATCH] Check for SERV_NO_REBIND on unqualified domains