[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-commits] r397 - in branches/freebsd6: . phpconf/inc webgui
 Date:  Thu, 15 Jul 2010 22:19:20 -0400
On Thu, Jul 15, 2010 at 6:51 AM,  <svn at m0n0 dot ch> wrote:
> Author: awhite
> Date: 2010-07-15 12:51:23 +0200 (Thu, 15 Jul 2010)
> New Revision: 397
> Modified:
>   branches/freebsd6/CHANGELOG
>   branches/freebsd6/phpconf/inc/services.inc
>   branches/freebsd6/webgui/services_dnsmasq.php
> Log:
> make dnsmasq use --stop-dns-rebind by default to increase security and protect against dns rebind

This is a good change, though has some ramifications for how a lot of
people use m0n0wall, it'll break a number of systems on upgrade. It
stops responses (with private IPs) from the typical domain forwarding
configuration, where for example you may use it for Active Directory
or other internal name resolution. An option to disable it helps, but
dnsmasq allows more flexible configuration options, such as excluding
specific domains, which would be a nice option to have so you don't
have to disable that protection entirely in such scenarios. pfSense
automatically adds forwarded domains to the exclusion list since in
the vast majority of cases those are going to return private IPs,
might be a good idea to do that as it should eliminate virtually all
breakage on upgrade while retaining the security benefits.

At a minimum, I would definitely give a heads up in the release notes
as to the effects of that change, so people know to disable it if
it'll break their system.