How to stop ad servers bypassing dnsmasq hosts block with IPv6 queries



  • I have many ad/track servers blocked in a large hosts file using dnsmasq on pfs 2.3.2. I'm starting to see them do an end run around my firewall by tricking the stack into returning IPv6 results:

    Sep  2 00:24:39 pfsense dnsmasq[29620]: query[A] d.neodatagroup.com from 10.100.100.12
    Sep  2 00:24:39 pfsense dnsmasq[29620]: /usr/local/etc/dnsmasq.d/hosts.txt d.neodatagroup.com is 0.0.0.0
    Sep  2 00:24:39 pfsense dnsmasq[29620]: query[AAAA] d.neodatagroup.com from 10.100.100.12
    Sep  2 00:24:39 pfsense dnsmasq[29620]: forwarded d.neodatagroup.com to 208.67.222.222
    Sep  2 00:24:39 pfsense dnsmasq[29620]: reply d.neodatagroup.com is <cname></cname>
    

    I have IPv6 disabled in System->Networking.
    I have all IPv6 traffic blocked on both the WAN and LAN interfaces.

    What can I do to ensure that dnsmasq always returns NODATA-IPv6 or NXDOMAIN for IPv6 addresses under every circumstance, short of ripping out the one pfsense bundles and recompiling my own copy without IPv6?



  • And did you put the CNAME in the hosts file ?

    drill @8.8.8.8 d.neodatagroup.com
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25994
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; d.neodatagroup.com.	IN	A
    
    ;; ANSWER SECTION:
    d.neodatagroup.com.	5111	IN	CNAME	nc-dispatcher-load-balancer-1677695964.us-east-1.elb.amazonaws.com.
    nc-dispatcher-load-balancer-1677695964.us-east-1.elb.amazonaws.com.	59	IN	A	23.23.253.150
    nc-dispatcher-load-balancer-1677695964.us-east-1.elb.amazonaws.com.	59	IN	A	50.16.229.88
    nc-dispatcher-load-balancer-1677695964.us-east-1.elb.amazonaws.com.	59	IN	A	23.21.126.176
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 192 msec
    ;; SERVER: 8.8.8.8
    ;; WHEN: Fri Sep  2 01:59:29 2016
    ;; MSG SIZE  rcvd: 161
    
    


  • No, the only thing host has is 0.0.0.0.

    It turns out this (imo malicious) new lookup behavior is a misfeature in Safari in macOS 10.12/iOS 10. If I can't block it, I won't be able to upgrade.



  • @paftdunk:

    No, the only thing host has is 0.0.0.0.

    You said earlier that
    @paftdunk:

    I have many ad/track servers blocked in a large hosts file using dnsmasq on pfs 2.3.2.

    so you probably have something like

    
    d.neodatagroup.com 0.0.0.0
    

    add the CNAME to the file.

    
    nc-dispatcher-load-balancer-1677695964.us-east-1.elb.amazonaws.com 0.0.0.0
    

    and see if this help.

    Maybe you could use DNS Resolver with pfBlockerNG DNSBL to filter domain.



  • My question isn't how to block these individual domains. My question is how to disable dnsmasq from ever returning any IPv6 data ever.



  • Yes I know, but as pfBlockerNG remove the CNAME when whitelisting, maybe you could try the putting the CNAME is the host override file to see if it still query the ROOT servers.


  • Rebel Alliance Global Moderator

    I don't believe unbound or dnsmasq has a filter AAAA like bind does..  There might be a fork that add its?

    But was is it your actually trying to prevent, your dns from doing the forward of the query?  Who cares if your client gets back AAAA for something they queried?  If you have ipv6 blocked they sure are not going there, unless your allowing them to use teredo or something?

    Are you having a problem that your client is getting back AAAA and getting there via 6to4 or teredo?  Is that the actual problem?  Windows will do a AAAA query first I do believe if it has ipv6 enabled.. Which is on out of the box etc..  I currently have it enabled on this machine but not bound to the interface.. I just did a quick sniff and its doing AAAA queries.. But that might be the browser as well, let me disable it there and see.

    So your just wanting to stop the query itself, or prevent its forward from dnsmasq to where your forwarding?

    What I do for ad blocking is load up list into unbound, but I use the redirect command so for example
    local-zone: "neodatagroup.com" redirect
    local-data: "neodatagroup.com A 127.0.0.1"

    Now when I do a query for the A record I get back loopback..  If do a query for AAAA get back noerror and just nothing..  Is that what your looking to do?

    
    > dig d.neodatagroup.com
    
    ; <<>> DiG 9.10.4-P2 <<>> d.neodatagroup.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 969
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;d.neodatagroup.com.            IN      A
    
    ;; ANSWER SECTION:
    d.neodatagroup.com.     3600    IN      A       127.0.0.1
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Sat Sep 03 03:40:16 Central Daylight Time 2016
    ;; MSG SIZE  rcvd: 63
    
    > dig d.neodatagroup.com AAAA
    
    ; <<>> DiG 9.10.4-P2 <<>> d.neodatagroup.com AAAA
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1588
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;d.neodatagroup.com.            IN      AAAA
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Sat Sep 03 03:40:20 Central Daylight Time 2016
    ;; MSG SIZE  rcvd: 47
    
    


  • @johnpoz:

    But was is it your actually trying to prevent, your dns from doing the forward of the query?  Who cares if your client gets back AAAA for something they queried?  If you have ipv6 blocked they sure are not going there, unless your allowing them to use teredo or something?

    You are correct. I realized the same thing thinking about this last night. So I guess it's more of a cosmetic issue.

    What I do for ad blocking is load up list into unbound, but I use the redirect command so for example
    local-zone: "neodatagroup.com" redirect
    local-data: "neodatagroup.com A 127.0.0.1"

    Now when I do a query for the A record I get back loopback..  If do a query for AAAA get back noerror and just nothing..  Is that what your looking to do?

    
    > dig d.neodatagroup.com
    
    ; <<>> DiG 9.10.4-P2 <<>> d.neodatagroup.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 969
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;d.neodatagroup.com.            IN      A
    
    ;; ANSWER SECTION:
    d.neodatagroup.com.     3600    IN      A       127.0.0.1
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Sat Sep 03 03:40:16 Central Daylight Time 2016
    ;; MSG SIZE  rcvd: 63
    
    > dig d.neodatagroup.com AAAA
    
    ; <<>> DiG 9.10.4-P2 <<>> d.neodatagroup.com AAAA
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1588
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;d.neodatagroup.com.            IN      AAAA
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Sat Sep 03 03:40:20 Central Daylight Time 2016
    ;; MSG SIZE  rcvd: 47
    
    

    Thanks. I looked into unbound, but if what is quoted below is still accurate, then it wouldn't work for me. I have about 600 domains completely blocked with wildcard entries (address=/.doubleclick.net/) in addition to a separate hosts file with a couple hundred thousand entries, including a bunch that overlap with the wildcard domains. I maintain both lists and share the hosts with friends (most of whom don't run dnsmasq). This setup is nice because I can periodically check the logs for any domains that return a result from 'config' and add it to the master host list.

    @Criggie:

    @Yowsers:

    This is in the wiki as well.
    https://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder/Resolver

    Yes - and that page also misses a big gotcha.

    As someone coming from dnsmasq / "forwarder"  I had multiple host overrides too.

    Unbound / resolver refuses to start if you set up a wildcard subdomain AND have host overrides that match.  So you need to delete all the host overrides that use the same subdomain.

    If you want to override a host in your domain override with unbound, best to do it on the resolver at which you are pointing.