Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security enhancement for the "never forward non-FQDNs" feature #3794

Merged
merged 2 commits into from
Oct 21, 2020
Merged

Security enhancement for the "never forward non-FQDNs" feature #3794

merged 2 commits into from
Oct 21, 2020

Conversation

DL6ER
Copy link
Member

@DL6ER DL6ER commented Oct 10, 2020
edited
Loading

By submitting this pull request, I confirm the following:

  • I have read and understood the contributors guide, as well as this entire template.
  • I have made only one major change in my proposed changes.
  • I have commented my proposed changes within the code.
  • I have tested my proposed changes, and have included unit tests where possible.
  • I am willing to help maintain this change if there are issues with it later.
  • I give this submission freely and claim no ownership.
  • It is compatible with the EUPL 1.2 license
  • I have squashed any insignificant commits. (git rebase)

What does this PR aim to accomplish?:

Security enhancement for the "never forward non-FQDNs" feature

How does this PR accomplish the above?:

This should prevent all local queries from being forwarded (will show up as blocked by regex) as well as any hostname without a domain (for example one word searches from the address bar in browsers). This fixes issue #3303 where this improvement was suggested by @jacklul.

Tests

(:green_circle: = not forwarded, :red_circle: = forwarded, domain = lan)

Before this PR:

  • localhost 🟢 (IP)
  • localhost.lan 🔴 (forwarded, came back as NXDOMAIN)
  • dhcphost 🟢 (IP)
  • dhcphost.lan 🟢 (IP)
  • nonexistinghost 🟢 (NODATA)
  • nonexistinghost.lan 🔴 (forwarded, came back as NXDOMAIN)

After this PR:

  • localhost 🟢 (IP)
  • localhost.lan 🟢 (IP)
  • dhcphost 🟢 (IP)
  • dhcphost.lan 🟢 (IP)
  • nonexistinghost 🟢 (NODATA)
  • nonexistinghost.lan 🟢 (NXDOMAIN)

What documentation changes (if any) are needed to support this PR?:

None

@DL6ER
Security enhancement for the "never forward non-FQDNs" feature. This …
d631cd8 
…should prevent all local queries from being forwarded (will show up as blocked by regex) as well as any hostname without a domain (for example one word searches from the address bar in browsers). This fixes #3303

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Only add local=/<domain>/ when the "only forward FQDN queries" functi…
08a84e5 
…on is enabled to prevent unintended side-effects of this change

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER DL6ER added the Security label Oct 10, 2020
@DL6ER
Copy link
Member Author

DL6ER commented Oct 10, 2020
edited
Loading

Note: Currently, the web interface shows queries like nonexistinghost.lan as Blocked (blacklist regex) because it cannot distinguish them from wildcards in dnsmasq style. Any suggestions for how to deal with them?

(Note that this is a separate issue in the realm of FTL which does not prevent this security fix from being merged!)

@dschaper
Copy link
Member

for example one word searches from the address bar in browsers

That's an annoying "feature", to clarify, this will just prevent the DNS lookup but the actual search will still go through?

@DL6ER DL6ER merged commit 5010001 into development Oct 21, 2020
@DL6ER DL6ER deleted the security/non_FQDNs_locality branch October 21, 2020 19:09
@DL6ER DL6ER mentioned this pull request Nov 8, 2020
Closed
8 tasks
@pralor-bot
Copy link

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pi-hole-core-web-v5-2-and-ftl-v5-3-released/40909/1

@pralor-bot
Copy link

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/all-requests-for-local-are-blocked/41601/10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PromoFaux PromoFaux PromoFaux approved these changes

@dschaper dschaper Awaiting requested review from dschaper

Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@DL6ER @dschaper @pralor-bot @PromoFaux