[Dnsmasq-discuss] Recursive DNS on dnsmasq

[Matthias Andree]

Am 25.02.2014 21:50, schrieb Simon Kelley:
> I agree that this is definitely a packaging issue rather than an
> "upstream" one. Unfortunately, as Debian packager for dnsmasq as well as
> maintainer, I'm still on the hook!  There's an open bug against the
> Debian dnsmasq package that makes the same point as the OP here.
> 
> The problem is that pretty difficult to do anything automatically. You
> can limit dnsmasq to the loopback interface, which would be safe, but
> break an awful lot of existing installations. Something I'm wondering
> about in Debian is to limit to 127.0.0.1 for new installations, but not
> upgrades. I've not yet worked out how to actually implement that, though.

Simon,

for leafnode (an NNTP server with similar deployment scenarios to
dnsmasq: at home---but not on routers, however),
I implement things like this:

1. For IPv4: scan the list of interfaces/netmasks

   If Source_IPv4_of_query & netmask == Interfacev4Addr & netmask
   for any interface: accept

2. If user has set a special parameter (which requires distinct
   capitalization and value): accept

3. Else reject.

IPv6 works differently and currently accepts the local (including
site-local) and loopback addresses.

I'm not sure if that is a good approach, probably it should also be
checking interface/prefix-lengths but when I implemented that code a
decade ago, IPv6 was not very wide-spread for home use, getifaddrs() was
not invented, and still somewhat in a state of flux regarding address
and site/link-local allocations.  Since there were no complaints, I
stuck with my approach.

If you want to take a look, the code is under LPGLv2, but I don't have a
browseable repository. Clone with Git from
http://mandree.home.pages.de/leafnode/leafnode-1.git/ and grab
checkpeerlocal.c, or take it from the latest leafnode-1.11.X tarball
<http://www.leafnode.org/>

HTH.

Cheers,
Matthias