|
||||||||||
On Fri, Jul 25, 2008 at 5:41 AM, Angus MacGyver <macgyver at calibre dash solutions dot co dot uk> wrote: > > Great - thanks for the update. > > Will both DnsMasq and the ipfilter fixes be ported back to 1.2.x series ? > (site says not to use 1.3beta for production - hence the question) > I use 1.3 in production, I would say it's safe for production use. A lot of folks do, as it's the only release compatible with ALIX hardware. > Now the only other question remains - would it be worthwhile to set > internal DNS servers to use m0n0wall's Dnsmasq as a forwarder to get > around this temporarily ? > > I guess that might save a lot of sysadmin's work re-jigging a network with > DHCP scopes for clients etc - or even having to "trust" 3rd party DNS > servers. > That's an option, if the servers that m0n0wall uses are patched. Another alternative is to use OpenDNS either directly on the internal servers for recursion, or on m0n0wall by entering 208.67.222.222 and 208.67.220.220 in the DNS server boxes on the General page. If you use OpenDNS directly on your internal servers you're going to lose your source port entropy on queries to OpenDNS, but with this specific issue that isn't directly relevant as you're only susceptible to issues on the recursive query side, which OpenDNS never had an issue with even before this came out. It would be better to use m0n0wall's forwarder, with it using a patched external DNS server. -Chris |