[Dnsmasq-discuss] CERT Vulnerability VU#598349
Josh Soref
jsoref at gmail.com
Fri Oct 5 06:02:37 BST 2018
Simon Kelley <simon at thekelleys.org.uk> wrote:
> So, if I read the replies so far correctly, we have votes both for
> "ignore wpad by default, and give an option to switch that off" and
> "don't ignore wpad by default, but add the code to do so to the example
> config file."
>
> The first is a bit of a problem, if you have
>
> dhcp-name-match=set:wpad-ignore,wpad
> dhcp-ignore-names=tag:wpad-ignore
>
> either in a global config file, or baked into the code.
>
> there's no way to unset the wpad-ignore tag, or override the
> dhcp-ignore-names directive.
Sounds like this isn't the right way to define a configuration.
Since being able to override it seems important.
I'd argue in favor of baking in a number of these things...
Offhand,
"autodiscover" [1]
Probably "www" and "ftp", possibly "ns", and probably "mta-sts" [2].
As for examples, I suppose the next time I revisit dnsmasq, I might
look into the examples problem, currently I'm fighting yaks in pdns
land (which is where I learned about the mta-sts thing, which is
really awful, but, hey).
[1] https://blogs.msdn.microsoft.com/exchangedev/2011/07/07/autodiscover-for-exchange-activesync-developers/
> 2. The client sends an Autodiscover request to https://autodiscover.woodgrovebank.com/autodiscover/autodiscover.xml, and does one of the following:
[2] https://tools.ietf.org/html/rfc8461
> Thus, for a Policy Domain of "example.com", the full URL is
> "https://mta-sts.example.com/.well-known/mta-sts.txt".
More information about the Dnsmasq-discuss
mailing list