[Dnsmasq-discuss] configurable stop-dns-rebind?
clemens fischer
ino-news at spotteswoode.dnsalias.org
Tue May 11 00:02:30 BST 2010
Simon Kelley wrote:
> clemens fischer wrote:
>
>> I have one little nit with option "stop-dns-rebind": it breaks
>> the RBL's needed to defend against spam. If only it could be a
>> sub-option to the "server" option to select which servers are allowed
>> to receive answers in the 127/8 or some other range!
>>
>> Maybe a new option is needed, because "server" requires the IP of the
>> nameserver. The configuration would need to allow something like:
>>
>> rbl=<rbl-domain>/<allowed-range(s)>
>>
>> This should signal dnsmasq that clients don't actually use IPs from
>> the <allowed-range(s)> for networking and should be returned even
>> with "stop-dns-rebind" set.
>>
>> Simon, would you accept a patch to that effect or implement it
>> yourself? How should the possibly new option be named? "rbl" sounds
>> a bit too specific for a general concept like this.
>
> One way to do this which would require very little code would be to
> extend the current domain matching code:
>
> server=/subdomain.domain/1.2.3.4
>
> and
>
> address=/subdomain.domain/1.2.3.4
>
> By simply giving the ability to switch off rbl checking on some
> domains with something like
>
> rbl-domain=/subdomain.domain/
>
> If the ability to specify particular IP ranges is not needed (why
> should it be?) then this could be implemented very cheaply (in terms
> of developer effort and extra code-size.)
In general narrowing to specific IP ranges could prove useful, but
I don't know how myself. I just thought it to be a nifty security
feature or something.
> Would that work?
Yes it would. I had thought about adding a flag to the "server" option:
server=/subdomain.domain/no-rbl
but that's awkward. Dnsmasq would need to recognize and handle it
specially in that no IP is given and the IP would have to be got from
other "server" statements.
"rbl-domain" is the better way. Dnsmasq would still need to add to the
internal structure keeping "server" info indicating that the
"stop-dns-rebind" is disabled for the "rbl-domain"s. I even tried to
figure out where to put the code, but didn't find the right place.
clemens
More information about the Dnsmasq-discuss
mailing list