[Dnsmasq-discuss] DNSMasq and DNS reflection attacks
simon at thekelleys.org.uk
Fri Oct 25 11:14:36 BST 2013
On 24/10/13 23:41, Vladislav Grishenko wrote:
>> From: Simon Kelley
>> Sent: Thursday, October 24, 2013 11:00 PM
>> So, don't use --bind-interfaces. If you're on Linux, you can use --bind-
>> dynamic instead if you're running multiple dnsmasq instances.
> So, on linux --bind-interfaces can be just an alias of --bind-dynamic, with
> no --bind-interfaces code and no warnings, less binary size, more seciruty.
There's practically no code that could be removed with
--bind-interfaces, --bind-dynamic is pretty much bind-interfaces plus
the code to determine arrival interface which is disabled or missing
with bind interfaces plus some new code to notice new addresses arriving.
If it could be supported everywhere, I'd just have extended
bind-interfaces to work in the way that the new bind-dynamic mode does,
but I don't want to have one mode which behaves subtly differently on
different platforms. By giving the new mode a new option, I can raise an
error when it's not available.
> Best Regards, Vladislav Grishenko
More information about the Dnsmasq-discuss