[Dnsmasq-discuss] rebind-protection vs servers-file

Dave Taht dave.taht at gmail.com
Mon Nov 24 21:48:32 GMT 2014


On Mon, Nov 24, 2014 at 1:02 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 22/11/14 23:06, Dave Taht wrote:
>> I have been fiddling with improving my internal dns, by creating a
>> file that has all my internal dns servers in it that I can easily copy
>> everywhere.
>>
>> Example serversfile.
>>
>> server=/rossow.r.lupinlodge.org/172.23.143.9
>> rev-server=172.23.8.0/23,172.23.143.9
>>
>> server=/lodge.r.lupinlodge.org/172.23.143.7
>> rev-server=172.23.6.0/23,172.23.143.7
>>
>> and Adding the one line of parsing needed in openwrts dnsmasq script...
>>
>> with rebind-protection enabled I get an error if trying to ping
>> rossow.r.lupinlodge.org
>>
>> with it disabled, it does the right thing.
>>
>> Will fiddle some more
>>
>
> So dnsmasq is forwarding the query for rossow.r.lupinlodge.org and
> getting an RFC 1918 address back as the answer? That will trigger the
> rebind protection, which does nothing more than disallow RFC1918
> addresses in answers from upstream servers; it's not very bright. As far
> as I can see, rebind protection is fundamentally incompatible with the
> network-of-dnsmasq instances you're experimenting with, since RFC1918
> addresses as answers from other dnsmasq instances are required.

I had figured that specifying these in the serversfile would override
the basic rebind protection for these ips.

>
>
> Cheers,
>
> Simon.
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht

thttp://www.bufferbloat.net/projects/bloat/wiki/Upcoming_Talks



More information about the Dnsmasq-discuss mailing list