[Dnsmasq-discuss] configurable stop-dns-rebind?
Simon Kelley
simon at thekelleys.org.uk
Tue May 11 21:32:27 BST 2010
clemens fischer wrote:
> /dev/rob0 wrote:
>
>> I would suggest that "RBL" is not the proper term, it is "DNSBL".
>> "RBL" refers specifically to the MAPS RBL.
>
> Good idea.
>
>> I've never had the issue, because I don't use --stop-dns-rebind.
>> I have VPN-linked RFC 1918 netblocks that I want to resolve on the
>> other ends of the VPN. So, maybe the exceptions need to be broader
>> than just for DNSBLs?
>
> Ah, hadn't thought of that! Ok, then a possible option DNSBL should
> look like "DNSBL=/dnsbl.example.com/". I thought this to mean that only
> the answers to queries to dnsbl.example.com are exempted from the
> stop-dns-rebind check.
>
> src/rfc1035.c::private_net() defines all the customary rfc-1918
> netblocks. It is the basis for the exceptions handled for OPT_BOGUSPRIV
> and OPT_NO_REBIND. Currently, the latter applies only to IPv4 IP's. If
> the hosts IP stack has no bugs, this should be ok considering IPv6 has
> scopes.
>
> It looks like you could put your VPN's names into "DNSBL=/.../"
> statements and have their names protected from the rfc-1918 check.
>
OK, try test25, in the usual place. I called the option
--rebind-domain-ok but otherwise it's as Clemens describes.
Comments welcome.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list