[Dnsmasq-discuss] Feature enhancement to rebind protection
Kurt H Maier
khm at sciops.net
Sun Jan 28 19:16:39 GMT 2018
On Sun, Jan 28, 2018 at 11:17:44AM -0500, Eric Luehrsen wrote:
> It would not be a Bug if it is an appropriately selectable option for
> local administration to configure for their own security requirements.
[ snip ]
> I had already imagined your concerns, and attempted to address them the
> use case. Externally facing servers should be placed in a DMZ, or that
I hope it's not your intent to claim that all software should support
"security requirements" and then proceed to mandate those security
requirements, but that's what it sounds like you're doing.
The "security requirements" you're discussing are side-effects of ipv4
address scarcity, so accustomed to which are securitists that they've
become cultural touchstones. That scarcity does not exist in the ipv6
space and it would probably be unwise to continue behaving as though it
did. It is not a matter of course to invent a DMZ or put specific
machines into one. In many organizations, every machine is "externally
facing"; this used to be called "being connected to the internet" and
is, I assure you, extremely survivable without DNS prestidigitation.
Please keep in mind that while there's nothing stopping you from doing
whatever you'd like with your computers, deliberately configuring DNS
servers to lie to each other wasn't ever really part of the design, and
it's not particularly polite to inflict the resulting complexity on the
rest of us.
khm
More information about the Dnsmasq-discuss
mailing list