On Fri, 2 Oct 2020 at 16:15, Huge huge@huge.org.uk wrote:
Perhaps you should read the RFC.
I think the relevant paragraphs are:
Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, and packets with private source or destination addresses should not be forwarded across such links. Routers in networks not using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out) routing information about private networks. If such a router receives such information the rejection shall not be treated as a routing protocol error.
Indirect references to such addresses should be contained within the enterprise. Prominent examples of such references are DNS Resource Records and other information referring to internal private addresses. In particular, Internet service providers should take measures to prevent such leakage.
As this RFC predates RFC2119 it's not clear how words like "should" vs "shall" are meant, but assuming the terminology of RFC2119 (which I think was common at the time if not formalised) I take the above to mean that traffic for RFC1918 hosts MUST NOT leave the local network, but that things like DNS records are only recommended not to leave the enterprise, which gives (to me, anyway) some leeway for cases where doing so makes sense but it shouldn't be the norm.
It therefore feels right to me that dnsmasq should block RFC1918 addresses from outside the network by default but to have a mechanism to whitelist domains where required. (I presume that is why the whitelist function exists: it would be an odd thing to add if using it was always wrong.)
The more interesting aspect for me is following the whack-a-mole trail that got us here: defeating XSS attacks by enforcing same host policies => exploit DNS to make two hosts look like the same host. It seems odd that the reason it is needed is that browser plugins don't use the browser DNS resolution tables thus making it possible for a plugin to get a different DNS result from the browser for the same host at (close enough to) the same time. Is there a reason why browser plugin DNS queries are independent of the browser itself?