Internal IP addresses being leaked

jfb · May 27, 2020, 12:47am

Unless there is something unusual about your Pi-hole setup, there is no need for the regex you have created. Pi-hole is based on dnsmasq (which is embedded in pihole-FTL) and the entire suite of dnsmasq commands is available. Per the dnsmasq documentation (http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html), the feature of interest is:

-b, --bogus-priv

Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc) which are not found in /etc/hosts or the DHCP leases file are answered with "no such domain" rather than being forwarded upstream. The set of prefixes affected is the list given in RFC6303, for IPv4 and IPv6.

This is what you are toggling when you select the "Never forward reverse lookups for private IP ranges" checkbox.

https://github.com/pi-hole/AdminLTE/blob/b86e4a3178e46cef9fc738c6a0fb8d0ef0ff2fbc/settings.php#L142

If the domain is locally mapped, then Pi-hole will answer it. If the domain is not mapped, then NXDOMAIN is the return. Example - the IP in question does not exist on my network and is not mapped locally:

dig -x 192.168.0.202

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> -x 192.168.0.202
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34215
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;202.0.168.192.in-addr.arpa.	IN	PTR

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 26 19:31:31 CDT 2020
;; MSG SIZE  rcvd: 55

The transaction looks like this in /var/log/pihole.log with DNS_ BOGUS_PRIV=true

May 26 19:31:31 dnsmasq[26056]: query[PTR] 202.0.168.192.in-addr.arpa from 127.0.0.1
May 26 19:31:31 dnsmasq[26056]: config 192.168.0.202 is NXDOMAIN

The request doesn't leave the network and the reply is the expected NXDOMAIN.

Similar dig for a client on my network and mapped in /etc/hosts:

dig -x 192.168.0.110 +short
SmartThings-hub.

From the pihole.log, these transactions:

May 26 19:44:58 dnsmasq[30825]: query[PTR] 110.0.168.192.in-addr.arpa from 127.0.0.1
May 26 19:44:58 dnsmasq[30825]: /etc/hosts 192.168.0.110 is SmartThings-hub

If you disable the regex you have created, do you see PTRs for local IP's leaving your network?

And what is the output of this - verifying the configuration file contents:

cat /etc/pihole/setupVars.conf

and the permissions on that file:

ls -lha /etc/pihole/setupVars.conf