<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-forward-container">
<p>Hi,</p>
<p>Love the software, just an observation, the manual at <a
class="moz-txt-link-freetext"
href="https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html"
moz-do-not-send="true">https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html</a>
states for --no-ident:</p>
<p></p>
<dt><b>--no-ident</b> </dt>
<dd> Do not respond to class CHAOS and type TXT in domain bind
queries.
<p> Without this option being set, the cache statistics are also
available in the DNS as answers to queries of class CHAOS and
type TXT in domain bind. The domain names are cachesize.bind,
insertions.bind, evictions.bind, misses.bind, hits.bind,
auth.bind and servers.bind unless disabled at compile-time. An
example command to query this, using the <b>dig</b> utility
would be </p>
<p> dig +short chaos txt cachesize.bind </p>
</dd>
<p></p>
<p>However looking at the code (src/option.c):</p>
<blockquote>
<p><font face="monospace">6096 /* Add TXT records if wanted */<br>
6097 #ifndef NO_ID<br>
6098 if (!option_bool(OPT_NO_IDENT))<br>
6099 {<br>
6100 add_txt("version.bind", "dnsmasq-" VERSION, 0 );<br>
6101 add_txt("authors.bind", "Simon Kelley", 0);<br>
6102 add_txt("copyright.bind", COPYRIGHT, 0);<br>
6103 add_txt("cachesize.bind", NULL,
TXT_STAT_CACHESIZE);<br>
6104 add_txt("insertions.bind", NULL,
TXT_STAT_INSERTS);<br>
6105 add_txt("evictions.bind", NULL,
TXT_STAT_EVICTIONS);<br>
6106 add_txt("misses.bind", NULL, TXT_STAT_MISSES);<br>
6107 add_txt("hits.bind", NULL, TXT_STAT_HITS);<br>
6108 #ifdef HAVE_AUTH<br>
6109 add_txt("auth.bind", NULL, TXT_STAT_AUTH);<br>
6110 #endif<br>
6111 add_txt("servers.bind", NULL, TXT_STAT_SERVERS);<br>
6112 }<br>
6113 #endif</font></p>
</blockquote>
<p>There's technically 3 further additional domain names which are
not documented:</p>
<ul>
<li>auth.bind</li>
<li><b>authors.bind</b></li>
<li>cachesize.bind</li>
<li><b>copyright.bind</b></li>
<li>evictions.bind</li>
<li>hits.bind</li>
<li>insertions.bind</li>
<li>misses.bind</li>
<li>servers.bind</li>
<li><b>version.bind</b></li>
</ul>
<p>This could lead a reader to not realise that "version.bind" is
a potential information disclosure issue (for those who worry
about that sort of thing, especially with the recent patched
vulnerabilities) or how one could disable that specifically.</p>
<p>Also may I respectfully suggest for your consideration:</p>
<ol>
<li>auth.bind could do with explaining in the manual that it's
the "(number of authoritative queries answered)" and nothing
to do with authentication, DNSSEC auth-ed queries etc. etc. </li>
<li>servers.bind could also explain "(in the format
<<Address#Port>> <<TotalQueries>>
<<FailedQueries>>)"</li>
<li>Maybe some DNSSEC stats could also be available in DNS (if
all the other stats are), "crypto.bind", "subqueries.bind",
"sigfail.bind" that appear in the usual statistics message?</li>
<li>Maybe access to the stale stats "stale.bind"?</li>
</ol>
<p>Kind Regards,<br>
Matthew</p>
</div>
</body>
</html>