[Dnsmasq-discuss] configurable stop-dns-rebind?

Simon Kelley simon at thekelleys.org.uk
Wed May 12 22:00:22 BST 2010


clemens fischer wrote:
> Simon Kelley wrote:
> 
>> OK, try test25, in the usual place. I called the option
>> --rebind-domain-ok but otherwise it's as Clemens describes.
> 
> What can I say?  It just works!  I have "stop-dns-rebind" on and three
> dnsbl's configured:
> 
>     --rebind-domain-ok=/zen.spamhaus.org/
>     --rebind-domain-ok=/dnsbl-1.uceprotect.net/
>     --rebind-domain-ok=/ix.dnsbl.manitu.net/
> 
> The smtp server (postfix) does its lookups and gets the proper results
> in the 127/8 range.  Then I removed the above arguments from dnsmasq's
> command line:  now I see "possible DNS-rebind attack detected" for
> connecting IPs listed for spamming.
> 
> A perfect result!
> 
I added the offending domain to the log message and turned it on on my
mail server box, which is running spamassasin. In addition to the three
you have, I've added

rebind-domain-ok=/rfc-ignorant.org/
rebind-domain-ok=/sorbs.net/
rebind-domain-ok=/uribl.com/
rebind-domain-ok=/surbl.org/
rebind-domain-ok=/dnswl.org/
rebind-domain-ok=/njabl.org/

and it seems to be quiet now.

Cheers,

Simon.



More information about the Dnsmasq-discuss mailing list