Prevent DNS rebinding (#1049)

roles/dns_adblocking/templates/dnsmasq.conf.j2

@@ -94,6 +94,7 @@ server={{ local_service_ip }}#5353
 {% for host in dns_servers.ipv4 %}
 server={{ host }}
 {% endfor %}
+stop-dns-rebind
 {% endif %}
 
 # and this sets the source (ie local) address used to talk to

roles/dns_encryption/tasks/main.yml

@@ -7,6 +7,13 @@
   include_tasks: freebsd.yml
   when: ansible_distribution == 'FreeBSD'
 
+- name: dnscrypt-proxy ip-blacklist configured
+  template:
+    src: ip-blacklist.txt.j2
+    dest: "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/ip-blacklist.txt"
+  notify:
+    - restart dnscrypt-proxy
+
 - name: dnscrypt-proxy configured
   template:
     src: dnscrypt-proxy.toml.j2

roles/dns_encryption/templates/dnscrypt-proxy.toml.j2

@@ -343,7 +343,7 @@ cache_neg_max_ttl = 600
 
   ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
 
-  # blacklist_file = 'ip-blacklist.txt'
+  blacklist_file = 'ip-blacklist.txt'
 
 
   ## Optional path to a file logging blocked queries

roles/dns_encryption/templates/ip-blacklist.txt.j2

@@ -0,0 +1,44 @@
+0.0.0.0
+10.*
+127.*
+169.254.*
+172.16.*
+172.17.*
+172.18.*
+172.19.*
+172.20.*
+172.21.*
+172.22.*
+172.23.*
+172.24.*
+172.25.*
+172.26.*
+172.27.*
+172.28.*
+172.29.*
+172.30.*
+172.31.*
+192.168.*
+::ffff:0.0.0.0
+::ffff:10.*
+::ffff:127.*
+::ffff:169.254.*
+::ffff:172.16.*
+::ffff:172.17.*
+::ffff:172.18.*
+::ffff:172.19.*
+::ffff:172.20.*
+::ffff:172.21.*
+::ffff:172.22.*
+::ffff:172.23.*
+::ffff:172.24.*
+::ffff:172.25.*
+::ffff:172.26.*
+::ffff:172.27.*
+::ffff:172.28.*
+::ffff:172.29.*
+::ffff:172.30.*
+::ffff:172.31.*
+::ffff:192.168.*
+fd00::*
+fe80::*