I think that my one example use case may have thrown off my intent.
>> It would not be a Bug if it is an appropriately selectable option
for local administration to configure for their own security requirements.
> I hope it's not your intent to claim that all software should support
"security requirements" and then proceed to mandate those security
requirements, but that's what it sounds like you're doing.
I thought I was putting enough emphasis on the concept of choice and
option. Suggesting I might "mandate" such a thing seems a bit over the
top. Managing and filtering misuse and abuse of the global DNS for local
network resolution is a choice for local administration.
> ... deliberately configuring DNS servers to lie to each other wasn't
ever really part of the design, and it's not particularly polite to
inflict the resulting complexity on the rest of us.
It is odd that you say this. The problem you mention is the neighborhood
DNS rebind attacks live in. The global DNS is abused to put addresses
that belong to one organization under the domain-names of another
organization. Private address space is just a special case. The option I
am asking for fights this abuse. It protects "the rest of us" from this
problem. You should be able to use'--rebind-domain-ok' and
'--stop-dns-rebind' to filter these attempted hijacks. The former to
white list the domain you own. The later to prevent the rest of domains
from resolving with the network block you operate.
Dnsmasq-discuss mailing list