[Dnsmasq-discuss] DNS request status opcode forwarded
Simon Kelley
simon at thekelleys.org.uk
Thu Dec 6 14:36:13 GMT 2012
On 06/12/12 14:09, Wouter ibens wrote:
> Hi,
>
> I have noticed that DNS queries with opcode 2 (server status request)
> arriving at dnsmasq are forwarded to the upstream dns servers.
>
> However, this document
> (http://www.eric-a-hall.com/specs/draft-hall-status-opcode-00-1.txt)
> states these queries MUST NOT be forwarded by DNS servers (See section
> 6, Security considerations).
It's an interesting question of dnsmasq counts as a "DNS server" or a
"DNS proxy" in this case. The sentence in question is
"the status query MUST NOT be
forwarded by DNS servers, as this could allow a malicious user to
leverage a trust relationship between two servers in order to gain
information which was not available to them directly."
Since it's unlikely that there will be any trust relationship between
dnsmasq and an upstream server, then this arguably doesn't apply.
RFC 5635: "DNS Proxy Implementation Guidelines" doesn't mention anything
at all about status queries, but is does say:
The role of the proxy should therefore be no more and no less than to
receive DNS requests from clients on the LAN side, forward those
verbatim to one of the known upstream recursive resolvers on the WAN
side, and ensure that the whole response is returned verbatim to the
original client.
Which implies that all queries (including STATUS queries) should be updated.
>
> Do you have any plans on modifying the behaviour of dnsmasq with respect
> to these requests?
>
I'm interested to hear informed opinions on if the behaviour should be
changed. I'm not sure it actually makes much difference either way.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list