Re: [Dnsmasq-discuss] suggestion filter out loopback addresses for query

2016-08-02 Thread Dan Sneddon 
On 08/02/2016 07:39 AM, Junyang Gu wrote:
> It seems to me that dnsmasq should filter out loopback addresses for DNS
> queries universally, or at least provide such an option.
> 
> Consider such a scenario,
> 
> dnsmasq runs on host1, and host1's /etc/hosts contains 127.0.1.1 host1,
> which is usually the case.
> 
> A second machine host2 queries dnsmasq for host1, and would get
> 127.0.1.1, which is also a valid IP address, except it goes to host2.
> 
> I do not see any any scenario where dnsmasq should return a loopback
> address.
> 
> 
> Regards
> 
> 

I can think of scenarios where this would be desired. Imagine an
application that was controlled via DNS with a short TTL, such that
when the server was operating normally a real IP would be returned, but
when the main server is down the hosts are redirected to a local cache.
In this case, it would be useful to be able to point hosts at their
local loopback address.

It is also used for "blackholing" certain addresses, such as Websites
with known malware or adult content.

I could see filtering localhost responses being a useful option (if it
wasn't mandatory or on by default).

-- 
Dan Sneddon |  Principal OpenStack Engineer
dsned...@redhat.com |  redhat.com/openstack
650.254.4025|  dsneddon:irc   @dxs:twitter

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] suggestion filter out loopback addresses for query

2016-08-02 Thread Albert ARIBAUD 
Hi,

Le Tue, 02 Aug 2016 10:39:23 -0400
Junyang Gu  a écrit:

> It seems to me that dnsmasq should filter out loopback addresses for
> DNS queries universally, or at least provide such an option.
> 
> Consider such a scenario,
> 
> dnsmasq runs on host1, and host1's /etc/hosts contains 127.0.1.1
> host1, which is usually the case.
> 
> A second machine host2 queries dnsmasq for host1, and would get
> 127.0.1.1, which is also a valid IP address, except it goes to host2.
> 
> I do not see any any scenario where dnsmasq should return a loopback
> address.

I've seen this method used by NS providers for blackholing suspicious
FQDNs. It makes sure traffic directed at them will not even enter the
Net.

> Regards

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss