Hi Kurt,

I think that my one example use case may have thrown off my intent.

>> It would not be a Bug if it is an appropriately selectable option for local administration to configure for their own security requirements. > I hope it's not your intent to claim that all software should support "security requirements" and then proceed to mandate those security requirements, but that's what it sounds like you're doing.

I thought I was putting enough emphasis on the concept of choice and option. Suggesting I might "mandate" such a thing seems a bit over the top. Managing and filtering misuse and abuse of the global DNS for local network resolution is a choice for local administration.

> ... deliberately configuring DNS  servers to lie to each other wasn't ever really part of the design, and it's not particularly polite to inflict the resulting complexity on the rest of us.

It is odd that you say this. The problem you mention is the neighborhood DNS rebind attacks live in. The global DNS is  abused to put addresses that belong to one organization under the domain-names of another organization. Private address space is just a special case. The option I am asking for fights this abuse. It protects "the rest of us" from this problem. You should be able to use'--rebind-domain-ok' and '--stop-dns-rebind' to filter these attempted hijacks. The former to white list the domain you own. The later to prevent the rest of domains from resolving with the network block you operate.

- Eric
Dnsmasq-discuss mailing list

Reply via email to