Only tangentially related, but thought it was worth a mention:
http://www.team-cymru.org/Services/Bogons/
They maintain a 'bogon' list of IP ranges that are private (martians) or
unassigned by the IANA - i.e. IP addresses that are not valid/routable
on the pubic internet. I currently import it into my netfilter rules
with a little cron/wget/sed incantation, but it'd be just as easy to
massage it into something dnsmasq could digest.
-- Paul
Simon Kelley wrote:
Andrew Rodland wrote:
Subject line pretty much says it. I have config lines of the form
server=/100.168.192.in-addr.arpa/192.168.100.2
(for a VPN "split DNS" configuration), but if the bogus-priv option is enabled
these queries are returned NXDOMAIN without forwarding to the upstream server.
I've disabled bogus-priv as a workaround, but it's my feeling that an explicit
forwarding server should override the general-purpose option. That way I can
forward the zones that I know exist somewhere, while still getting the benefit
of bogus-priv for completely spurious local IPs.
This is a fine suggestion, but there are are two reasons not to do it.
1) It's more difficult to implement than may be apparent, since the
bogus-priv logic happens as part of cache processing, and if that yields
an address, the forwarding logic which checks the server= lines never
gets run.
2) The current behaviour has been there for a long time, and there's a
chance that changing it will adversely affect existing installations.
I'd probably override both these objections and do it anyway, if there
wasn't a good workaround, but there is. Do this.
1) remove bogus-priv
2) add the lines
local=/.168.192.in-addr.arpa/
local=/.16.172.in-addr.arpa/
local=/.10.in-addr.arpa/
local=/.127.in-addr.arpa/
local=/.254.169.in-addr.arpa/
instead.
(Your server line will be used in preference to the 168.192 one, since
it's more specific.)
HTH
Simon.
