[Dnsmasq-discuss] only forward requests for specific hosts
Simon Kelley
simon at thekelleys.org.uk
Fri Aug 9 10:56:22 BST 2013
On 09/08/13 08:04, Frederic Van Espen wrote:
> Hi,
>
> I'm running dnsmasq as a caching dns server that forwards requests to
> some.specific.domain.com to an internal dns server. This dnsmasq
> instance is exposed publicly on ethx and privately on ethy.
>
> Is there a way to configure dnsmasq in such a way that:
> - from the public internet, only requests for the
> some.specific.domain.com are forwarded to our internal server. Requests
> that require resolving should be responded to as "no such address".
> - from our private network, anything is allowed. that means requests to
> some.specific.domain.com and other requests that need forwarding are
> allowed.
>
> I need this to prevent this host from being used as an open resolver
> which can be used for dns attacks.
>
Best solution would be to use --bind-interfaces and --interface and run
two different instances of dnsmasq, one for internal and one for
external use.
Note that the current (2.66) version of dnsmasq includes and
authoritative mode which may be useful to you, though it doesn't solve
the exact problem you give: it only answers "external" queries with data
it knows, from /etc/hosts or DHCP or other configuration.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list