[Dnsmasq-discuss] CERT Vulnerability VU#598349
klondike
klondike at klondike.es
Mon Sep 10 00:19:26 BST 2018
Hi Simon,
El 08/09/18 a las 19:17, Simon Kelley escribió:
> The question is, should the above configuration be "baked in" to the code?
Yes. In general it is considered against good practice to provide insane
defaults and in this case this entails software and not configuration
defaults.
Keep in mind that dnsmasq is used by a wide variety of users nowadays,
not only home routers and embedded but also as a simple DHCP/DNS server
in NAT setups, for example by NetworkManager or libvirt. Getting all of
these users to update the way in which they generate dnsmasq
configurations may be impractical as oposed to the rare case of allowing
the names in such a blacklist.
Because of this it would be best to let dnsmasq to default to safe
behaviour (filtering known bad names like wpad) and allowing users to
disable this behaviour via a configuration/command line directive. That
way the next update will fix the problem for the majority of users out
of the box whilst still allowing the few with a legitimate interest in
allowing overriding of entries like wpad to do so.
If you need help writting such a patch I can try to get some time to do so.
Sincerely,
Klondike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20180910/df345f7c/attachment.sig>
More information about the Dnsmasq-discuss
mailing list