I will add the exclusion for configured zones/delegation
I think maybe it's safer to default enable if the admin password is still
default, otherwise it has to be specifically enabled ?
I assume pfSense doesn't have this on by default, which is why it's on the
list ?
On Fri, Jul 16, 2010 at 3:19 AM, Chris Buechler <cbuechler at gmail dot com> wrote:
> On Thu, Jul 15, 2010 at 6:51 AM, <svn at m0n0 dot ch> wrote:
> > Author: awhite
> > Date: 2010-07-15 12:51:23 +0200 (Thu, 15 Jul 2010)
> > New Revision: 397
> >
> > Modified:
> > branches/freebsd6/CHANGELOG
> > branches/freebsd6/phpconf/inc/services.inc
> > branches/freebsd6/webgui/services_dnsmasq.php
> > Log:
> > make dnsmasq use --stop-dns-rebind by default to increase security and
> protect against dns rebind attacks.
> >
>
> This is a good change, though has some ramifications for how a lot of
> people use m0n0wall, it'll break a number of systems on upgrade. It
> stops responses (with private IPs) from the typical domain forwarding
> configuration, where for example you may use it for Active Directory
> or other internal name resolution. An option to disable it helps, but
> dnsmasq allows more flexible configuration options, such as excluding
> specific domains, which would be a nice option to have so you don't
> have to disable that protection entirely in such scenarios. pfSense
> automatically adds forwarded domains to the exclusion list since in
> the vast majority of cases those are going to return private IPs,
> might be a good idea to do that as it should eliminate virtually all
> breakage on upgrade while retaining the security benefits.
>
> At a minimum, I would definitely give a heads up in the release notes
> as to the effects of that change, so people know to disable it if
> it'll break their system.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
>
>
| 