[Dnsmasq-discuss] DNS request status opcode forwarded

Simon Kelley simon at thekelleys.org.uk
Thu Dec 6 14:36:13 GMT 2012


On 06/12/12 14:09, Wouter ibens wrote:
> Hi,
> 
> I have noticed that DNS queries with opcode 2 (server status request)
> arriving at dnsmasq are forwarded to the upstream dns servers.
> 
> However, this document
> (http://www.eric-a-hall.com/specs/draft-hall-status-opcode-00-1.txt)
> states these queries MUST NOT be forwarded by DNS servers (See section
> 6, Security considerations).

It's an interesting question of dnsmasq counts as a "DNS server" or a
"DNS proxy" in this case. The sentence in question is

     "the status query MUST NOT be
     forwarded by DNS servers, as this could allow a malicious user to
     leverage a trust relationship between two servers in order to gain
     information which was not available to them directly."

Since it's unlikely that there will be any trust relationship between
dnsmasq and an upstream server, then this arguably doesn't apply.

RFC 5635: "DNS Proxy Implementation Guidelines" doesn't mention anything
at all about status queries, but is does say:

   The role of the proxy should therefore be no more and no less than to
   receive DNS requests from clients on the LAN side, forward those
   verbatim to one of the known upstream recursive resolvers on the WAN
   side, and ensure that the whole response is returned verbatim to the
   original client.

Which implies that all queries (including STATUS queries) should be updated.

> 
> Do you have any plans on modifying the behaviour of dnsmasq with respect
> to these requests?
> 

I'm interested to hear informed opinions on if the behaviour should be
changed. I'm not sure it actually makes much difference either way.


Cheers,

Simon.





More information about the Dnsmasq-discuss mailing list