After setting up a raspberry pi based router (behind two other routers) using debian stretch, iptables, dnsmasq and hostapd, I have come to learn a seemingly endless amount of interesting options that are by far not available in the proprietary world.
With regard to one very nasty problem however, I did not find a solution yet: Certain very poorly designed internet routers manipulate dns responses pointing any dns request at their own configuration site as long as they are not on the line.
In my case this leads to – oh wonder! – dozens of warnings related to bad certificates on https connections. When it comes to http connections, fun is to be expected.
Given that dnsmasq is already configured properly to use specified dns servers for external traffic and to use locally configured addresses as well as assigned dhcp leases for internal traffic:
Is it possible to configure dnsmasq in such a manner that manipulated responses, which point at a local address range, even though they belong to a non-local domain, are being filtered as invalid?
Example: DNS request for anysite.com to 126.96.36.199 is being intercepted by 192.168.2.1 pointing at 192.168.2.1; as the latter however is not being addressed by any top level domain, such responses shall be discarded until the actual 188.8.131.52 can be reached.
Even though it might seem obvious – would this type of problem be solved for all kinds of clients by enabling and configuring the dnssec features of dnsmasq?
Thanks in advance!
--stop-dns-rebind option will cause dnsmasq to ignore any address responses which are in private IP address space.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.