On 07/15/2010 09:19 PM, Chris Buechler wrote:
> This is a good change, though has some ramifications for how a lot of
> people use m0n0wall, it'll break a number of systems on upgrade. It
> stops responses (with private IPs) from the typical domain forwarding
> configuration, where for example you may use it for Active Directory
> or other internal name resolution. An option to disable it helps, but
> dnsmasq allows more flexible configuration options, such as excluding
> specific domains, which would be a nice option to have so you don't
> have to disable that protection entirely in such scenarios. pfSense
> automatically adds forwarded domains to the exclusion list since in
> the vast majority of cases those are going to return private IPs,
> might be a good idea to do that as it should eliminate virtually all
> breakage on upgrade while retaining the security benefits.
> At a minimum, I would definitely give a heads up in the release notes
> as to the effects of that change, so people know to disable it if
> it'll break their system.
If I am reading it correctly, it would break almost all of mine.