[Dnsmasq-discuss] Recursive DNS on dnsmasq

Simon Kelley simon at thekelleys.org.uk
Fri Feb 28 10:36:05 UTC 2014


On 25/02/14 21:34, Matthias Andree wrote:
> Am 25.02.2014 21:50, schrieb Simon Kelley:
>> I agree that this is definitely a packaging issue rather than an
>> "upstream" one. Unfortunately, as Debian packager for dnsmasq as well as
>> maintainer, I'm still on the hook!  There's an open bug against the
>> Debian dnsmasq package that makes the same point as the OP here.
>>
>> The problem is that pretty difficult to do anything automatically. You
>> can limit dnsmasq to the loopback interface, which would be safe, but
>> break an awful lot of existing installations. Something I'm wondering
>> about in Debian is to limit to 127.0.0.1 for new installations, but not
>> upgrades. I've not yet worked out how to actually implement that, though.
> 
> Simon,
> 
> for leafnode (an NNTP server with similar deployment scenarios to
> dnsmasq: at home---but not on routers, however),
> I implement things like this:
> 
> 1. For IPv4: scan the list of interfaces/netmasks
> 
>    If Source_IPv4_of_query & netmask == Interfacev4Addr & netmask
>    for any interface: accept
> 
> 2. If user has set a special parameter (which requires distinct
>    capitalization and value): accept
> 
> 3. Else reject.
> 
> IPv6 works differently and currently accepts the local (including
> site-local) and loopback addresses.
> 
> I'm not sure if that is a good approach, probably it should also be
> checking interface/prefix-lengths but when I implemented that code a
> decade ago, IPv6 was not very wide-spread for home use, getifaddrs() was
> not invented, and still somewhat in a state of flux regarding address
> and site/link-local allocations.  Since there were no complaints, I
> stuck with my approach.
> 
> If you want to take a look, the code is under LPGLv2, but I don't have a
> browseable repository. Clone with Git from
> http://mandree.home.pages.de/leafnode/leafnode-1.git/ and grab
> checkpeerlocal.c, or take it from the latest leafnode-1.11.X tarball
> <http://www.leafnode.org/>
> 

That would be a neat option to have, and as a default for new
installations, it's much more useful than "127.0.0.1 only". Would still
break (some) existing installations is enabled automatically on upgrade
though.


Cheers,

Simon.



More information about the Dnsmasq-discuss mailing list