all: do not listen on 0.0.0.0 on desktop clients

Since this may create security vulnerabilities such as DNS amplification or abusing because the listener was exposed to the entire local network.
2026-02-03 22:18:39 +00:00 · 2025-05-06 19:59:11 +07:00
parent ace3b1e66e
commit 00e9d2bdd3
5 changed files with 34 additions and 4 deletions
--- a/cmd/cli/cli.go
+++ b/cmd/cli/cli.go
@@ -1216,13 +1216,18 @@ func tryUpdateListenerConfig(cfg *ctrld.Config, infoLogger *zerolog.Logger, noti
 	// For Windows server with local Dns server running, we can only try on random local IP.
 	hasLocalDnsServer := hasLocalDnsServerRunning()
 	notRouter := router.Name() == ""
+	isDesktop := ctrld.IsDesktopPlatform()
 	for n, listener := range cfg.Listener {
 		lcc[n] = &listenerConfigCheck{}
 		if listener.IP == "" {
 			listener.IP = "0.0.0.0"
-			if hasLocalDnsServer {
-				// Windows Server lies to us that we could listen on 0.0.0.0:53
-				// even there's a process already done that, stick to local IP only.
+			// Windows Server lies to us that we could listen on 0.0.0.0:53
+			// even there's a process already done that, stick to local IP only.
+			//
+			// For desktop clients, also stick the listener to the local IP only.
+			// Listening on 0.0.0.0 would expose it to the entire local network, potentially
+			// creating security vulnerabilities (such as DNS amplification or abusing).
+			if hasLocalDnsServer || isDesktop {
 				listener.IP = "127.0.0.1"
 			}
 			lcc[n].IP = true
--- a/cmd/cli/dns_proxy.go
+++ b/cmd/cli/dns_proxy.go
@@ -1042,8 +1042,10 @@ func (p *prog) queryFromSelf(ip string) bool {
 	return false
 }

+// needRFC1918Listeners reports whether ctrld need to spawn listener for RFC 1918 addresses.
+// This is helpful for non-desktop platforms to receive queries from LAN clients.
 func needRFC1918Listeners(lc *ctrld.ListenerConfig) bool {
-	return lc.IP == "127.0.0.1" && lc.Port == 53
+	return lc.IP == "127.0.0.1" && lc.Port == 53 && !ctrld.IsDesktopPlatform()
 }

 // ipFromARPA parses a FQDN arpa domain and return the IP address if valid.
--- a/desktop_darwin.go
+++ b/desktop_darwin.go
@@ -0,0 +1,7 @@
+package ctrld
+
+// IsDesktopPlatform indicates if ctrld is running on a desktop platform,
+// currently defined as macOS or Windows workstation.
+func IsDesktopPlatform() bool {
+	return true
+}
--- a/desktop_others.go
+++ b/desktop_others.go
@@ -0,0 +1,9 @@
+//go:build !windows && !darwin
+
+package ctrld
+
+// IsDesktopPlatform indicates if ctrld is running on a desktop platform,
+// currently defined as macOS or Windows workstation.
+func IsDesktopPlatform() bool {
+	return false
+}
--- a/desktop_windows.go
+++ b/desktop_windows.go
@@ -0,0 +1,7 @@
+package ctrld
+
+// IsDesktopPlatform indicates if ctrld is running on a desktop platform,
+// currently defined as macOS or Windows workstation.
+func IsDesktopPlatform() bool {
+	return isWindowsWorkStation()
+}