Message ID | 1443099844-23691-1-git-send-email-kevin@darbyshire-bryant.me.uk |
---|---|
State | Superseded |
Headers | show |
There is already "option boguspriv 1" so I do not really see the point. Cheers, Steven
On 24/09/15 15:57, Steven Barth wrote: > There is already "option boguspriv 1" so I do not really see the point. > > > Cheers, > > Steven > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel Hi Steven, Yes I've the boguspriv option enabled so was a little surprised when I enabled logging to see queries being forwarded for the likes of IPv6 link local addresses. This prompted a question on the dnsmasq list where my attention to RFC6303 was directed. I tweaked a few things to stop most of it. I can't force my dog food on anyone else but I know my home system isn't putting extra load on any servers trying to answer questions I know they don't have the answers for. Cheers, Kevin
Okay, we can do this, however we need to figure 3 things out first. 1. Disable boguspriv, doing both is unintuitive. 2. Make sure it doesn't broke reverse resolving locally known hosts, i.e. those in the hostfiles and those that have a DHCP lease. 3. Make sure that doesn't break applications that sub-delegate some of those addresses (i.e. I have an application that delegates certain private reverse zones to another server/router in the lan), it does this by placing similar entries into /tmp/dnsmasq.d/ for the respective zones. Cheers, Steven
On 24/09/15 17:54, Steven Barth wrote: > Okay, we can do this, however we need to figure 3 things out first. > > 1. Disable boguspriv, doing both is unintuitive. ok, so extra lines for .10, 16-32.172, 168.192 - an extra 18 lines in total. And an update to luci to remove the bogus priv tick box? > 2. Make sure it doesn't broke reverse resolving locally known hosts, > i.e. those in the hostfiles and those that have a DHCP lease. It doesn't. nslookups for my local boxes on 192.168.n.x configured either as known hosts or as dhcp leases work fine. I'd like to think I would have noticed if it didn't. > 3. Make sure that doesn't break applications that sub-delegate some of > those addresses (i.e. I have an application that delegates certain > private reverse zones to another server/router in the lan), it does > this by placing similar entries into /tmp/dnsmasq.d/ for the > respective zones. May I suggest that is a 'special use' case and requires sensible, extra configuration just like many other uses. I'm suggesting an Internet friendly default, admittedly one that requires extra effort to disable if a use case requires. Kevin
diff --git a/package/network/services/dnsmasq/files/dhcp.conf b/package/network/services/dnsmasq/files/dhcp.conf index 362b90a..88ff14d 100644 --- a/package/network/services/dnsmasq/files/dhcp.conf +++ b/package/network/services/dnsmasq/files/dhcp.conf @@ -20,6 +20,18 @@ config dnsmasq #list notinterface lo #list bogusnxdomain '64.94.110.11' option localservice 1 # disable to allow DNS requests from non-local subnets + list server '/0.in-addr.arpa/' + list server '/127.in-addr.arpa/' + list server '/254.169.in-addr.arpa/' + list server '/2.0.192.in-addr.arpa/' + list server '/100.51.198.in-addr.arpa/' + list server '/113.0.203.in-addr.arpa/' + list server '/255.255.255.255.in-addr.arpa/' + list server '/d.f.ip6.arpa/' + list server '/8.e.f.ip6.arpa/' + list server '/9.e.f.ip6.arpa/' + list server '/a.e.f.ip6.arpa/' + list server '/b.e.f.ip6.arpa/' config dhcp lan option interface lan
RFC6303 specifies reverse dns zones that ideally should not be forwarded to upstream (root) servers and create unnecessary load upon them. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> --- package/network/services/dnsmasq/files/dhcp.conf | 12 ++++++++++++ 1 file changed, 12 insertions(+)