Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to stop ad servers bypassing dnsmasq hosts block with IPv6 queries

    Scheduled Pinned Locked Moved DHCP and DNS
    8 Posts 3 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      paftdunk
      last edited by

      I have many ad/track servers blocked in a large hosts file using dnsmasq on pfs 2.3.2. I'm starting to see them do an end run around my firewall by tricking the stack into returning IPv6 results:

      Sep  2 00:24:39 pfsense dnsmasq[29620]: query[A] d.neodatagroup.com from 10.100.100.12
      Sep  2 00:24:39 pfsense dnsmasq[29620]: /usr/local/etc/dnsmasq.d/hosts.txt d.neodatagroup.com is 0.0.0.0
      Sep  2 00:24:39 pfsense dnsmasq[29620]: query[AAAA] d.neodatagroup.com from 10.100.100.12
      Sep  2 00:24:39 pfsense dnsmasq[29620]: forwarded d.neodatagroup.com to 208.67.222.222
      Sep  2 00:24:39 pfsense dnsmasq[29620]: reply d.neodatagroup.com is <cname></cname>
      

      I have IPv6 disabled in System->Networking.
      I have all IPv6 traffic blocked on both the WAN and LAN interfaces.

      What can I do to ensure that dnsmasq always returns NODATA-IPv6 or NXDOMAIN for IPv6 addresses under every circumstance, short of ripping out the one pfsense bundles and recompiling my own copy without IPv6?

      1 Reply Last reply Reply Quote 0
      • RonpfSR
        RonpfS
        last edited by

        And did you put the CNAME in the hosts file ?

        drill @8.8.8.8 d.neodatagroup.com
        
        ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25994
        ;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
        ;; QUESTION SECTION:
        ;; d.neodatagroup.com.	IN	A
        
        ;; ANSWER SECTION:
        d.neodatagroup.com.	5111	IN	CNAME	nc-dispatcher-load-balancer-1677695964.us-east-1.elb.amazonaws.com.
        nc-dispatcher-load-balancer-1677695964.us-east-1.elb.amazonaws.com.	59	IN	A	23.23.253.150
        nc-dispatcher-load-balancer-1677695964.us-east-1.elb.amazonaws.com.	59	IN	A	50.16.229.88
        nc-dispatcher-load-balancer-1677695964.us-east-1.elb.amazonaws.com.	59	IN	A	23.21.126.176
        
        ;; AUTHORITY SECTION:
        
        ;; ADDITIONAL SECTION:
        
        ;; Query time: 192 msec
        ;; SERVER: 8.8.8.8
        ;; WHEN: Fri Sep  2 01:59:29 2016
        ;; MSG SIZE  rcvd: 161
        
        

        2.4.5-RELEASE-p1 (amd64)
        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

        1 Reply Last reply Reply Quote 0
        • P
          paftdunk
          last edited by

          No, the only thing host has is 0.0.0.0.

          It turns out this (imo malicious) new lookup behavior is a misfeature in Safari in macOS 10.12/iOS 10. If I can't block it, I won't be able to upgrade.

          1 Reply Last reply Reply Quote 0
          • RonpfSR
            RonpfS
            last edited by

            @paftdunk:

            No, the only thing host has is 0.0.0.0.

            You said earlier that
            @paftdunk:

            I have many ad/track servers blocked in a large hosts file using dnsmasq on pfs 2.3.2.

            so you probably have something like

            
            d.neodatagroup.com 0.0.0.0
            

            add the CNAME to the file.

            
            nc-dispatcher-load-balancer-1677695964.us-east-1.elb.amazonaws.com 0.0.0.0
            

            and see if this help.

            Maybe you could use DNS Resolver with pfBlockerNG DNSBL to filter domain.

            2.4.5-RELEASE-p1 (amd64)
            Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
            Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

            1 Reply Last reply Reply Quote 0
            • P
              paftdunk
              last edited by

              My question isn't how to block these individual domains. My question is how to disable dnsmasq from ever returning any IPv6 data ever.

              1 Reply Last reply Reply Quote 0
              • RonpfSR
                RonpfS
                last edited by

                Yes I know, but as pfBlockerNG remove the CNAME when whitelisting, maybe you could try the putting the CNAME is the host override file to see if it still query the ROOT servers.

                2.4.5-RELEASE-p1 (amd64)
                Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  I don't believe unbound or dnsmasq has a filter AAAA like bind does..  There might be a fork that add its?

                  But was is it your actually trying to prevent, your dns from doing the forward of the query?  Who cares if your client gets back AAAA for something they queried?  If you have ipv6 blocked they sure are not going there, unless your allowing them to use teredo or something?

                  Are you having a problem that your client is getting back AAAA and getting there via 6to4 or teredo?  Is that the actual problem?  Windows will do a AAAA query first I do believe if it has ipv6 enabled.. Which is on out of the box etc..  I currently have it enabled on this machine but not bound to the interface.. I just did a quick sniff and its doing AAAA queries.. But that might be the browser as well, let me disable it there and see.

                  So your just wanting to stop the query itself, or prevent its forward from dnsmasq to where your forwarding?

                  What I do for ad blocking is load up list into unbound, but I use the redirect command so for example
                  local-zone: "neodatagroup.com" redirect
                  local-data: "neodatagroup.com A 127.0.0.1"

                  Now when I do a query for the A record I get back loopback..  If do a query for AAAA get back noerror and just nothing..  Is that what your looking to do?

                  
                  > dig d.neodatagroup.com
                  
                  ; <<>> DiG 9.10.4-P2 <<>> d.neodatagroup.com
                  ;; global options: +cmd
                  ;; Got answer:
                  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 969
                  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                  
                  ;; OPT PSEUDOSECTION:
                  ; EDNS: version: 0, flags:; udp: 4096
                  ;; QUESTION SECTION:
                  ;d.neodatagroup.com.            IN      A
                  
                  ;; ANSWER SECTION:
                  d.neodatagroup.com.     3600    IN      A       127.0.0.1
                  
                  ;; Query time: 1 msec
                  ;; SERVER: 192.168.9.253#53(192.168.9.253)
                  ;; WHEN: Sat Sep 03 03:40:16 Central Daylight Time 2016
                  ;; MSG SIZE  rcvd: 63
                  
                  > dig d.neodatagroup.com AAAA
                  
                  ; <<>> DiG 9.10.4-P2 <<>> d.neodatagroup.com AAAA
                  ;; global options: +cmd
                  ;; Got answer:
                  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1588
                  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
                  
                  ;; OPT PSEUDOSECTION:
                  ; EDNS: version: 0, flags:; udp: 4096
                  ;; QUESTION SECTION:
                  ;d.neodatagroup.com.            IN      AAAA
                  
                  ;; Query time: 1 msec
                  ;; SERVER: 192.168.9.253#53(192.168.9.253)
                  ;; WHEN: Sat Sep 03 03:40:20 Central Daylight Time 2016
                  ;; MSG SIZE  rcvd: 47
                  
                  

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • P
                    paftdunk
                    last edited by

                    @johnpoz:

                    But was is it your actually trying to prevent, your dns from doing the forward of the query?  Who cares if your client gets back AAAA for something they queried?  If you have ipv6 blocked they sure are not going there, unless your allowing them to use teredo or something?

                    You are correct. I realized the same thing thinking about this last night. So I guess it's more of a cosmetic issue.

                    What I do for ad blocking is load up list into unbound, but I use the redirect command so for example
                    local-zone: "neodatagroup.com" redirect
                    local-data: "neodatagroup.com A 127.0.0.1"

                    Now when I do a query for the A record I get back loopback..  If do a query for AAAA get back noerror and just nothing..  Is that what your looking to do?

                    
                    > dig d.neodatagroup.com
                    
                    ; <<>> DiG 9.10.4-P2 <<>> d.neodatagroup.com
                    ;; global options: +cmd
                    ;; Got answer:
                    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 969
                    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                    
                    ;; OPT PSEUDOSECTION:
                    ; EDNS: version: 0, flags:; udp: 4096
                    ;; QUESTION SECTION:
                    ;d.neodatagroup.com.            IN      A
                    
                    ;; ANSWER SECTION:
                    d.neodatagroup.com.     3600    IN      A       127.0.0.1
                    
                    ;; Query time: 1 msec
                    ;; SERVER: 192.168.9.253#53(192.168.9.253)
                    ;; WHEN: Sat Sep 03 03:40:16 Central Daylight Time 2016
                    ;; MSG SIZE  rcvd: 63
                    
                    > dig d.neodatagroup.com AAAA
                    
                    ; <<>> DiG 9.10.4-P2 <<>> d.neodatagroup.com AAAA
                    ;; global options: +cmd
                    ;; Got answer:
                    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1588
                    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
                    
                    ;; OPT PSEUDOSECTION:
                    ; EDNS: version: 0, flags:; udp: 4096
                    ;; QUESTION SECTION:
                    ;d.neodatagroup.com.            IN      AAAA
                    
                    ;; Query time: 1 msec
                    ;; SERVER: 192.168.9.253#53(192.168.9.253)
                    ;; WHEN: Sat Sep 03 03:40:20 Central Daylight Time 2016
                    ;; MSG SIZE  rcvd: 47
                    
                    

                    Thanks. I looked into unbound, but if what is quoted below is still accurate, then it wouldn't work for me. I have about 600 domains completely blocked with wildcard entries (address=/.doubleclick.net/) in addition to a separate hosts file with a couple hundred thousand entries, including a bunch that overlap with the wildcard domains. I maintain both lists and share the hosts with friends (most of whom don't run dnsmasq). This setup is nice because I can periodically check the logs for any domains that return a result from 'config' and add it to the master host list.

                    @Criggie:

                    @Yowsers:

                    This is in the wiki as well.
                    https://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder/Resolver

                    Yes - and that page also misses a big gotcha.

                    As someone coming from dnsmasq / "forwarder"  I had multiple host overrides too.

                    Unbound / resolver refuses to start if you set up a wildcard subdomain AND have host overrides that match.  So you need to delete all the host overrides that use the same subdomain.

                    If you want to override a host in your domain override with unbound, best to do it on the resolver at which you are pointing.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.