[Dnsmasq-discuss] [PATCH] auth-zone to ignore more non-global addresses

Mon Jan 19 15:47:51 GMT 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Two observations:

1) The patch as it stands doesn't just affect authoritative DNS
answers - it filters those addresses from "ordinary" internal DNS
requests too.

2) Following from that, there's a good chance that there are dnsmasq
installations that rely on theses addresses (RFC1918 and ULA expecially)

So at least, there needs to be a distincion between internal and auth
requests, and/or some ability to configure this.

I'm intriqued, why are you assigning "real" addresses to the loopback
interface.

Cheers,

Simon.

On 18/01/15 17:17, Alexander Clouter wrote:
> This patch makes sure dnsmasq does not put any non-global
> addresses (loopback, rfc1918, and ULA addresses) into the
> authoritive zone file, in particular when global addresses are
> added to the loopback interface.
> 
> The following configuration shows this behaviour: ---- # ip addr
> show dev lo 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue 
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet
> 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 
> inet6 2002:4d4b:6a22:8::/64 scope global valid_lft forever
> preferred_lft forever inet6 2a01:348:45:8::/64 scope global 
> valid_lft forever preferred_lft forever inet6 fd2a:7fba:ff04:8::/64
> scope global valid_lft forever preferred_lft forever inet6 ::1/128
> scope host valid_lft forever preferred_lft forever
> 
> # dnsmasq .... \ --auth-server=digriz.wormnet.eu,ppp0 \ 
> --server=/digriz.wormnet.eu/ \ 
> --interface-name=digriz.wormnet.eu,lo \ 
> --interface-name=digriz.wormnet.eu,ppp0 \ 
> --auth-zone=digriz.wormnet.eu,lo,ppp0,br0/6 \ 
> --domain=digriz.wormnet.eu,192.168.1.0/24,local ----
> 
> Without this patch, you see externally: ---- alex at marmot:~$ host
> digriz.wormnet.eu 77.75.106.34 Using domain server: Name:
> 77.75.106.34 Address: 77.75.106.34#53 Aliases:
> 
> digriz.wormnet.eu has address 127.0.0.1 digriz.wormnet.eu has
> address 77.75.106.34 digriz.wormnet.eu has IPv6 address ::1 
> digriz.wormnet.eu has IPv6 address fd2a:7fba:ff04:8:: 
> digriz.wormnet.eu has IPv6 address 2a01:348:45:8:: 
> digriz.wormnet.eu has IPv6 address 2002:4d4b:6a22:8:: 
> digriz.wormnet.eu has IPv6 address
> 2a01:348:ad51:1539:6524:39bd:2da6:e349 ----
> 
> With the patch, you see: ---- alex at marmot:~$ host digriz.wormnet.eu
> 77.75.106.34 Using domain server: Name: 77.75.106.34 Address:
> 77.75.106.34#53 Aliases:
> 
> digriz.wormnet.eu has address 77.75.106.34 digriz.wormnet.eu has
> IPv6 address 2a01:348:45:8:: digriz.wormnet.eu has IPv6 address
> 2002:4d4b:6a22:8:: digriz.wormnet.eu has IPv6 address
> 2a01:348:ad51:1539:6524:39bd:2da6:e349 ----
> 
> Signed-off-by: Alexander Clouter <alex+dnsmasq at digriz.org.uk> -- 
> src/network.c |    6 ++++-- 1 files changed, 4 insertions(+), 2
> deletions(-)
> 
> --- a/src/network.c    2015-01-04 19:09:25.086396076 +0000 +++
> b/src/network.c    2015-01-04 19:29:04.402377390 +0000 @@ -302,10
> +302,12 @@ #endif } } -  + +  if ((addr->sa.sa_family == AF_INET &&
> !private_net(addr->in.sin_addr, 1)) #ifdef HAVE_IPV6 -  if
> (addr->sa.sa_family != AF_INET6 || 
> !IN6_IS_ADDR_LINKLOCAL(&addr->in6.sin6_addr)) +    ||
> (addr->sa.sa_family == AF_INET6 && 
> !IN6_IS_ADDR_LOOPBACK(&addr->in6.sin6_addr) && 
> !IN6_IS_ADDR_LINKLOCAL(&addr->in6.sin6_addr) && 
> !IN6_IS_ADDR_ULA(&addr->in6.sin6_addr)) #endif +    ) { struct
> interface_name *int_name; struct addrlist *al;
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUvScmAAoJEBXN2mrhkTWisjIP/ROb9JZdq1YcKrqA91Fyqkha
CBRxueDAkl3fK0vA+uX+LzmKKZ9HXaSeqpxdk0b5YG1g76dQTWztNyNKrxS+xCAw
iCCvsDC4HIfQhjcetT4uYyekdpx6nOVC+5fcTC3pb2PAOIeEIo8q4Q/EthG6pqNz
giy0igD2mUcUGGFtthmT3YZ0h5ZjNCHfjaW3s+QggmYbg6exvsFxTt0RMTmRJkZZ
klurb3elkLtUUVBt1vKxcUpvosWKZ1D/OTROijSoo2oBCixCI00cMpTTiHhgxCzt
5Oo3Y8lkIRsrDjzy84tDwnkWoe+o/mER1b/SfFjwx2pwCkgEVnC4IlH5cNcgI0wk
AxHAzi7xc61aLOHCUh7UlBARVF5A/lDM5kHk7enaEryJlOAP7CJCZgq6HX9bGA+l
O4xiEU778Ye9lojAAebGEYhkS0BRiXVyWDkE1dc+jswPkl9RznT0pWb5qBDNsbm0
b7VKrC+M5UKCxpLXZ5Jwvjo1gFbzcelPloH5UjlCyDH6rO6C1Nvr0F4992IKxUcf
B8lJnK0XOnGUg5OtNTyl+NaXSwvrl70xTPFMc29BaYXHmGdZivYZhzKSz+9ljB/C
Arwp4qvBA5bwdMnmLTySHi7Q0QEyh1tfeJf5i66xXISTO6JvuHED7S7zZYEMza1E
9gvqrAWPiuFFpo5s/IV0
=jsM7
-----END PGP SIGNATURE-----