[Dnsmasq-discuss] DNSMasq and DNS reflection attacks

Simon Kelley simon at thekelleys.org.uk
Fri Oct 25 11:14:36 BST 2013

On 24/10/13 23:41, Vladislav Grishenko wrote:
>> From: Simon Kelley
>> Sent: Thursday, October 24, 2013 11:00 PM
>> So, don't use --bind-interfaces. If you're on Linux, you can use --bind-
>> dynamic instead if you're running multiple dnsmasq instances.
> So, on linux --bind-interfaces can be just an alias of --bind-dynamic, with
> no --bind-interfaces code and no warnings, less binary size, more seciruty.

There's practically no code that could be removed with 
--bind-interfaces, --bind-dynamic is pretty much bind-interfaces plus 
the code to determine arrival interface which is disabled or missing 
with bind interfaces plus some new code to notice new addresses arriving.

If it could be supported everywhere, I'd just have extended 
bind-interfaces to work in the way that the new bind-dynamic mode does, 
but I don't want to have one mode which behaves subtly differently on 
different platforms. By giving the new mode a new option, I can raise an 
error when it's not available.



> Best Regards, Vladislav Grishenko

More information about the Dnsmasq-discuss mailing list