[Dnsmasq-discuss] Feature enhancement to rebind protection

[Eric Luehrsen]

Hi Kurt,

I think that my one example use case may have thrown off my intent.

 >> It would not be a Bug if it is an appropriately selectable option 
for local administration to configure for their own security requirements.
 > I hope it's not your intent to claim that all software should support 
"security requirements" and then proceed to mandate those security 
requirements, but that's what it sounds like you're doing.

I thought I was putting enough emphasis on the concept of choice and 
option. Suggesting I might "mandate" such a thing seems a bit over the 
top. Managing and filtering misuse and abuse of the global DNS for local 
network resolution is a choice for local administration.

 > ... deliberately configuring DNS  servers to lie to each other wasn't 
ever really part of the design, and it's not particularly polite to 
inflict the resulting complexity on the rest of us.

It is odd that you say this. The problem you mention is the neighborhood 
DNS rebind attacks live in. The global DNS is  abused to put addresses 
that belong to one organization under the domain-names of another 
organization. Private address space is just a special case. The option I 
am asking for fights this abuse. It protects "the rest of us" from this 
problem. You should be able to use'--rebind-domain-ok' and 
'--stop-dns-rebind' to filter these attempted hijacks. The former to 
white list the domain you own. The later to prevent the rest of domains 
from resolving with the network block you operate.

- Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20180128/fe07991f/attachment.html>