Simon Kelley wrote:
clemens fischer wrote:
I see src/rfc1035.c::private_net() now has an additional argument
ban_localhost used to differentiate its use in bogus-priv and
stop-rebind. How about making ban_localhost a real option so that
users can decide for themselves what they need? A
clemens fischer wrote:
Simon Kelley wrote:
clemens fischer wrote:
To me your changes from test25..test27 were quite adequate by using
the bogus-priv checks. Rob said he wants his VPN remotes to resolve.
I can imagine he just enters the remotes as rebind-domain-ok domains
and be happy.
I
Simon Kelley wrote:
The fact that stop-dns-rebind blocks 127.0.0.0 is bit of
a coincidence, which comes from the fact that it uses the same
address-checking code as --bogus-priv. My understanding of the rebind
attack is that it can't be done via 127.0.0.1: That might get you
a backdoor into
clemens fischer wrote:
Hi Simon, did you intend to send this privately? The dnsmasq list was
not Cc'ed.
Simon Kelley:
clemens fischer wrote:
Simon Kelley wrote:
The fact that stop-dns-rebind blocks 127.0.0.0 is bit of a
coincidence, which comes from the fact that it uses the same
Simon Kelley wrote:
clemens fischer wrote:
To me your changes from test25..test27 were quite adequate by using
the bogus-priv checks. Rob said he wants his VPN remotes to resolve.
I can imagine he just enters the remotes as rebind-domain-ok domains
and be happy.
I think so too, but it
clemens fischer wrote:
Simon Kelley wrote:
I added the offending domain to the log message and turned it on on my
mail server box, which is running spamassasin. In addition to the three
you have, I've added
rebind-domain-ok=/rfc-ignorant.org/
rebind-domain-ok=/sorbs.net/
clemens fischer wrote:
Simon Kelley wrote:
I added the offending domain to the log message and turned it on on my
mail server box, which is running spamassasin. In addition to the three
you have, I've added
rebind-domain-ok=/rfc-ignorant.org/
rebind-domain-ok=/sorbs.net/
Simon Kelley wrote:
OK, try test25, in the usual place. I called the option
--rebind-domain-ok but otherwise it's as Clemens describes.
What can I say? It just works! I have stop-dns-rebind on and three
dnsbl's configured:
--rebind-domain-ok=/zen.spamhaus.org/
clemens fischer wrote:
Simon Kelley wrote:
OK, try test25, in the usual place. I called the option
--rebind-domain-ok but otherwise it's as Clemens describes.
What can I say? It just works! I have stop-dns-rebind on and three
dnsbl's configured:
On Tue, May 11, 2010 at 01:02:30AM +0200, clemens fischer wrote:
rbl-domain is the better way. Dnsmasq would still need to
add to the internal structure keeping server info indicating
that the stop-dns-rebind is disabled for the rbl-domains.
I would suggest that RBL is not the proper term, it
/dev/rob0 wrote:
I would suggest that RBL is not the proper term, it is DNSBL.
RBL refers specifically to the MAPS RBL.
Good idea.
I've never had the issue, because I don't use --stop-dns-rebind.
I have VPN-linked RFC 1918 netblocks that I want to resolve on the
other ends of the VPN. So,
clemens fischer wrote:
Hi,
I have one little nit with option stop-dns-rebind: it breaks the
RBL's needed to defend against spam. If only it could be a sub-option
to the server option to select which servers are allowed to receive
answers in the 127/8 or some other range!
Maybe a new
Hi,
I have one little nit with option stop-dns-rebind: it breaks the
RBL's needed to defend against spam. If only it could be a sub-option
to the server option to select which servers are allowed to receive
answers in the 127/8 or some other range!
Maybe a new option is needed, because server
13 matches
Mail list logo
