Commit 7e8c0957 authored by Franco Fichtner's avatar Franco Fichtner

dnsmasq: use canned --bogus-priv for no_private_reverse #1573

parent 66691090
...@@ -143,19 +143,9 @@ function dnsmasq_configure_do($verbose = false) ...@@ -143,19 +143,9 @@ function dnsmasq_configure_do($verbose = false)
} }
} }
/* If selected, then first forward reverse lookups for private IPv4 addresses to nowhere. */ /* Prevent bogus lookups of unknown private ranges */
/* If any of these are duplicated by a user-specified domain override (e.g. 10.in-addr.arpa) then */
/* the user-specified entry made later on the command line below will be the one that is effective. */
if (isset($config['dnsmasq']['no_private_reverse'])) { if (isset($config['dnsmasq']['no_private_reverse'])) {
/* Note: Carrier Grade NAT (CGN) addresses 100.64.0.0/10 are intentionally not here. */ $args .= " --bogus-priv ";
/* End-users should not be aware of CGN addresses, so reverse lookups for these should not happen. */
/* Just the OPNsense WAN might get a CGN address from an ISP. */
$args .= " --server=/10.in-addr.arpa/ ";
$args .= " --server=/168.192.in-addr.arpa/ ";
/* Unfortunately the 172.16.0.0/12 range does not map nicely to the in-addr.arpa scheme. */
for ($subnet_num = 16; $subnet_num < 32; $subnet_num++) {
$args .= " --server=/" . $subnet_num . ".172.in-addr.arpa/ ";
}
} }
/* Setup forwarded domains */ /* Setup forwarded domains */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment