[Dnsmasq-discuss] Man page of DNSMASQ: --no-ident

[Matthew]

Hi,

Love the software, just an observation, the manual at 
https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html states for 
--no-ident:

*--no-ident*
    Do not respond to class CHAOS and type TXT in domain bind queries.

    Without this option being set, the cache statistics are also
    available in the DNS as answers to queries of class CHAOS and type
    TXT in domain bind. The domain names are cachesize.bind,
    insertions.bind, evictions.bind, misses.bind, hits.bind, auth.bind
    and servers.bind unless disabled at compile-time. An example command
    to query this, using the *dig* utility would be

    dig +short chaos txt cachesize.bind

However looking at the code (src/option.c):

    6096   /* Add TXT records if wanted */
    6097 #ifndef NO_ID
    6098   if (!option_bool(OPT_NO_IDENT))
    6099     {
    6100       add_txt("version.bind", "dnsmasq-" VERSION, 0 );
    6101       add_txt("authors.bind", "Simon Kelley", 0);
    6102       add_txt("copyright.bind", COPYRIGHT, 0);
    6103       add_txt("cachesize.bind", NULL, TXT_STAT_CACHESIZE);
    6104       add_txt("insertions.bind", NULL, TXT_STAT_INSERTS);
    6105       add_txt("evictions.bind", NULL, TXT_STAT_EVICTIONS);
    6106       add_txt("misses.bind", NULL, TXT_STAT_MISSES);
    6107       add_txt("hits.bind", NULL, TXT_STAT_HITS);
    6108 #ifdef HAVE_AUTH
    6109       add_txt("auth.bind", NULL, TXT_STAT_AUTH);
    6110 #endif
    6111       add_txt("servers.bind", NULL, TXT_STAT_SERVERS);
    6112     }
    6113 #endif

There's technically 3 further additional domain names which are not 
documented:

  * auth.bind
  * *authors.bind*
  * cachesize.bind
  * *copyright.bind*
  * evictions.bind
  * hits.bind
  * insertions.bind
  * misses.bind
  * servers.bind
  * *version.bind*

This could lead a reader to not realise that "version.bind" is a 
potential information disclosure issue (for those who worry about that 
sort of thing, especially with the recent patched vulnerabilities) or 
how one could disable that specifically.

Also may I respectfully suggest for your consideration:

 1. auth.bind could do with explaining in the manual that it's the
    "(number of authoritative queries answered)" and nothing to do with
    authentication, DNSSEC auth-ed queries etc. etc.
 2. servers.bind could also explain "(in the format <<Address#Port>>
    <<TotalQueries>> <<FailedQueries>>)"
 3. Maybe some DNSSEC stats could also be available in DNS (if all the
    other stats are), "crypto.bind", "subqueries.bind", "sigfail.bind"
    that appear in the usual statistics message?
 4. Maybe access to the stale stats "stale.bind"?

Kind Regards,
Matthew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20260611/b5d850f4/attachment.htm>