On 2/26/2015 6:19 PM, Randy Bush wrote:
could someone whack me with a clue bat as to why the default install has filters for rfc1918 space yet does not filter being an open dns resolver on the wan? and there is a check-box for the former and not the latter (that i could see/understand).
Nothing at all is allowed on WAN by default, hence there is no open DNS resolver by default. dnsmasq binds to *:53 by default, so if you do open up your WAN rules excessively, you'll have an open resolver open to the Internet. You can control interface bindings in its configuration. In 2.2, we switched to Unbound by default (for new configurations only, dnsmasq still used if you upgraded), which is better in that regard since it has ACLs limiting recursion, which we automatically populate with your internal subnets.
_______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
