From b86ebe20d7900a9a8898e5173a42ccb4dc7ee422 Mon Sep 17 00:00:00 2001 From: David Myers Date: Wed, 8 Aug 2018 00:25:33 -0400 Subject: [PATCH] Prevent DNS rebinding (#1049) --- .../dns_adblocking/templates/dnsmasq.conf.j2 | 1 + roles/dns_encryption/tasks/main.yml | 7 +++ .../templates/dnscrypt-proxy.toml.j2 | 2 +- .../templates/ip-blacklist.txt.j2 | 44 +++++++++++++++++++ 4 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 roles/dns_encryption/templates/ip-blacklist.txt.j2 diff --git a/roles/dns_adblocking/templates/dnsmasq.conf.j2 b/roles/dns_adblocking/templates/dnsmasq.conf.j2 index 135aeb1..0e6e72f 100644 --- a/roles/dns_adblocking/templates/dnsmasq.conf.j2 +++ b/roles/dns_adblocking/templates/dnsmasq.conf.j2 @@ -94,6 +94,7 @@ server={{ local_service_ip }}#5353 {% for host in dns_servers.ipv4 %} server={{ host }} {% endfor %} +stop-dns-rebind {% endif %} # and this sets the source (ie local) address used to talk to diff --git a/roles/dns_encryption/tasks/main.yml b/roles/dns_encryption/tasks/main.yml index 49c8d6e..5740703 100644 --- a/roles/dns_encryption/tasks/main.yml +++ b/roles/dns_encryption/tasks/main.yml @@ -7,6 +7,13 @@ include_tasks: freebsd.yml when: ansible_distribution == 'FreeBSD' +- name: dnscrypt-proxy ip-blacklist configured + template: + src: ip-blacklist.txt.j2 + dest: "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/ip-blacklist.txt" + notify: + - restart dnscrypt-proxy + - name: dnscrypt-proxy configured template: src: dnscrypt-proxy.toml.j2 diff --git a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 index 22e9cfc..f99aeda 100644 --- a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 +++ b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 @@ -343,7 +343,7 @@ cache_neg_max_ttl = 600 ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) - # blacklist_file = 'ip-blacklist.txt' + blacklist_file = 'ip-blacklist.txt' ## Optional path to a file logging blocked queries diff --git a/roles/dns_encryption/templates/ip-blacklist.txt.j2 b/roles/dns_encryption/templates/ip-blacklist.txt.j2 new file mode 100644 index 0000000..d2189ff --- /dev/null +++ b/roles/dns_encryption/templates/ip-blacklist.txt.j2 @@ -0,0 +1,44 @@ +0.0.0.0 +10.* +127.* +169.254.* +172.16.* +172.17.* +172.18.* +172.19.* +172.20.* +172.21.* +172.22.* +172.23.* +172.24.* +172.25.* +172.26.* +172.27.* +172.28.* +172.29.* +172.30.* +172.31.* +192.168.* +::ffff:0.0.0.0 +::ffff:10.* +::ffff:127.* +::ffff:169.254.* +::ffff:172.16.* +::ffff:172.17.* +::ffff:172.18.* +::ffff:172.19.* +::ffff:172.20.* +::ffff:172.21.* +::ffff:172.22.* +::ffff:172.23.* +::ffff:172.24.* +::ffff:172.25.* +::ffff:172.26.* +::ffff:172.27.* +::ffff:172.28.* +::ffff:172.29.* +::ffff:172.30.* +::ffff:172.31.* +::ffff:192.168.* +fd00::* +fe80::*