New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Strip EDNS(0) Client Subnet / MAC information #1240
Conversation
e21b6a9
to
235ec9f
Compare
…strip-mac is set. If both the add and strip options are set, incoming EDNS0 options are replaced. This ensures we do not unintentionally forward client information somewhere upstream when ECS is used in lower DNS layers in our local network. Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
235ec9f
to
4486071
Compare
This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there: https://discourse.pi-hole.net/t/ecs-client-subnet-is-being-sent-to-upstream-server/50790/15 |
Confirm stripping MAC does also work. Additionally, replacing MAC/subnet by having strip-mac/subnet together with add-mac/subnet does also work. |
Superseded by pi-hole/dnsmasq#1 to be submitted when Simon Kelley returns. |
@yubiuser The changes have been merged by Simon Kelley. I imported them into |
I'll do. I wonder if we should set both strip options be default - could increase privacy of users? |
EDNS(0) ECS shouldn't be used by any client by default. If we set it by default we have to construct all the machinery to allow users disabling it if they want to... |
...true.... |
Tried both: stripping and replacing works with current |
By submitting this pull request, I confirm the following:
How familiar are you with the codebase?:
10
Strip EDNS(0) Client Subnet / MAC information if
--strip-subnet
or--strip-mac
is set. If both the add and strip options are set, incoming EDNS0 options are replaced. This ensures we do not unintentionally forward client information somewhere upstream when ECS is used in lower DNS layers in our local network.Note This PR is just here to remind us to work on and send this patch upstream to the main
dnsmasq
project once Simon Kelley is back.