[Dnsmasq-discuss] configurable stop-dns-rebind?
clemens fischer
ino-news at spotteswoode.dnsalias.org
Tue May 11 16:20:42 BST 2010
/dev/rob0 wrote:
> I would suggest that "RBL" is not the proper term, it is "DNSBL".
> "RBL" refers specifically to the MAPS RBL.
Good idea.
> I've never had the issue, because I don't use --stop-dns-rebind.
> I have VPN-linked RFC 1918 netblocks that I want to resolve on the
> other ends of the VPN. So, maybe the exceptions need to be broader
> than just for DNSBLs?
Ah, hadn't thought of that! Ok, then a possible option DNSBL should
look like "DNSBL=/dnsbl.example.com/". I thought this to mean that only
the answers to queries to dnsbl.example.com are exempted from the
stop-dns-rebind check.
src/rfc1035.c::private_net() defines all the customary rfc-1918
netblocks. It is the basis for the exceptions handled for OPT_BOGUSPRIV
and OPT_NO_REBIND. Currently, the latter applies only to IPv4 IP's. If
the hosts IP stack has no bugs, this should be ok considering IPv6 has
scopes.
It looks like you could put your VPN's names into "DNSBL=/.../"
statements and have their names protected from the rfc-1918 check.
clemens
More information about the Dnsmasq-discuss
mailing list