Hey Simon On 9/8/18 11:17 AM, Simon Kelley wrote: > The question is, should the above configuration be "baked in" to the code?
As I understand, this vulnerability arises from the Web Proxy Automatic Discovery (WPAD) protocol, not from dnsmasq itself. And, dnsmasq configuration provides - or will provide - a configuration mechanism to obviate the shortcomings of the WPAD protocol. My inclination would be to *not* change the code, on the off-chance that someone might consider this specific function of the WPAD protocol to be a "feature", and instead, to rely upon the proper dnsmasq configuration, which would make overt to the network administrator just how the "wpad" sub-domain is being handled. And then, for instance, as you say, dhcp-name-match=set:wpad-ignore,wpad dhcp-ignore-names=tag:wpad-ignore could be recommended in the default dnsmasq configuration file. Also, the CERT note says "Other autodiscovery names, such as, ISATAP, autodiscovery and autoconf may also be exploitable." And dnsmasq could be playing "wack-a-mole" with sub-domain names in the code, if handled that way. It's easier to play "wack-a-mole" from the configuration file. My first thoughts... James _______________________________________________ Dnsmasq-discuss mailing list Dnsmasqemail@example.com http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss