[Dnsmasq-discuss] Recursive DNS on dnsmasq
matthias.andree at gmx.de
Tue Feb 25 21:34:51 UTC 2014
Am 25.02.2014 21:50, schrieb Simon Kelley:
> I agree that this is definitely a packaging issue rather than an
> "upstream" one. Unfortunately, as Debian packager for dnsmasq as well as
> maintainer, I'm still on the hook! There's an open bug against the
> Debian dnsmasq package that makes the same point as the OP here.
> The problem is that pretty difficult to do anything automatically. You
> can limit dnsmasq to the loopback interface, which would be safe, but
> break an awful lot of existing installations. Something I'm wondering
> about in Debian is to limit to 127.0.0.1 for new installations, but not
> upgrades. I've not yet worked out how to actually implement that, though.
for leafnode (an NNTP server with similar deployment scenarios to
dnsmasq: at home---but not on routers, however),
I implement things like this:
1. For IPv4: scan the list of interfaces/netmasks
If Source_IPv4_of_query & netmask == Interfacev4Addr & netmask
for any interface: accept
2. If user has set a special parameter (which requires distinct
capitalization and value): accept
3. Else reject.
IPv6 works differently and currently accepts the local (including
site-local) and loopback addresses.
I'm not sure if that is a good approach, probably it should also be
checking interface/prefix-lengths but when I implemented that code a
decade ago, IPv6 was not very wide-spread for home use, getifaddrs() was
not invented, and still somewhat in a state of flux regarding address
and site/link-local allocations. Since there were no complaints, I
stuck with my approach.
If you want to take a look, the code is under LPGLv2, but I don't have a
browseable repository. Clone with Git from
http://mandree.home.pages.de/leafnode/leafnode-1.git/ and grab
checkpeerlocal.c, or take it from the latest leafnode-1.11.X tarball
More information about the Dnsmasq-discuss