Strip EDNS(0) Client Subnet / MAC information #1240
Conversation
DL6ER
force-pushed
the
tweak/strip_EDNS0_ECS
branch
from
e21b6a9
to
235ec9f
Compare
|
Confirm working. Standard behavior
After stripping enabled |
…strip-mac is set. If both the add and strip options are set, incoming EDNS0 options are replaced. This ensures we do not unintentionally forward client information somewhere upstream when ECS is used in lower DNS layers in our local network. Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
DL6ER
force-pushed
the
tweak/strip_EDNS0_ECS
branch
from
235ec9f
to
4486071
Compare
DL6ER
changed the title
|
This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there: https://discourse.pi-hole.net/t/ecs-client-subnet-is-being-sent-to-upstream-server/50790/15 |
|
Confirm stripping MAC does also work. Additionally, replacing MAC/subnet by having strip-mac/subnet together with add-mac/subnet does also work. |
|
Superseded by pi-hole/dnsmasq#1 to be submitted when Simon Kelley returns. |
|
@yubiuser The changes have been merged by Simon Kelley. I imported them into |
|
I'll do. I wonder if we should set both strip options be default - could increase privacy of users? |
|
EDNS(0) ECS shouldn't be used by any client by default. If we set it by default we have to construct all the machinery to allow users disabling it if they want to... |
...true.... |
|
Tried both: stripping and replacing works with current |
By submitting this pull request, I confirm the following:
How familiar are you with the codebase?:
10
Strip EDNS(0) Client Subnet / MAC information if
--strip-subnetor--strip-macis set. If both the add and strip options are set, incoming EDNS0 options are replaced. This ensures we do not unintentionally forward client information somewhere upstream when ECS is used in lower DNS layers in our local network.Note This PR is just here to remind us to work on and send this patch upstream to the main
dnsmasqproject once Simon Kelley is back.