diff options
author | Jim P <jim@pingle.org> | 2013-03-06 05:06:44 -0800 |
---|---|---|
committer | Jim P <jim@pingle.org> | 2013-03-06 05:06:44 -0800 |
commit | b710a07883fbc0a462e5aad6bf6f6d85f1126615 (patch) | |
tree | 1989b60dd6aa447a6929943ae86a3604827eeffb | |
parent | dcddb2fa412f0b6bf9db089963ea56012c406e52 (diff) | |
parent | 0a7985ba3bcd0165eb06451c9e531d57c3cf17b7 (diff) | |
download | pfsense-b710a07883fbc0a462e5aad6bf6f6d85f1126615.zip pfsense-b710a07883fbc0a462e5aad6bf6f6d85f1126615.tar.gz |
Merge pull request #463 from phil-davis/master
Add DNS Forwarder option to not forward private reverse lookups
-rw-r--r-- | etc/inc/services.inc | 13 | ||||
-rwxr-xr-x | usr/local/www/services_dnsmasq.php | 15 |
2 files changed, 27 insertions, 1 deletions
diff --git a/etc/inc/services.inc b/etc/inc/services.inc index 8c69cb0..03325cd 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -1565,6 +1565,19 @@ function services_dnsmasq_configure() { } } + /* If selected, then forward reverse lookups for private IPv4 addresses to nowhere. */ + if (isset($config['dnsmasq']['no_private_reverse'])) { + /* Note: Carrier Grade NAT (CGN) addresses 100.64.0.0/10 are intentionally not here. */ + /* End-users should not be aware of CGN addresses, so reverse lookups for these should not happen. */ + /* Just the pfSense WAN might get a CGN address from an ISP. */ + $args .= " --server=/10.in-addr.arpa/ "; + $args .= " --server=/168.192.in-addr.arpa/ "; + /* Unfortunately the 172.16.0.0/12 range does not map nicely to the in-addr.arpa scheme. */ + for ($subnet_num = 16; $subnet_num < 32; $subnet_num++) { + $args .= " --server=/" . $subnet_num . ".172.in-addr.arpa/ "; + } + } + /* Allow DNS Rebind for forwarded domains */ if (isset($config['dnsmasq']['domainoverrides']) && is_array($config['dnsmasq']['domainoverrides'])) { if(!isset($config['system']['webgui']['nodnsrebindcheck'])) { diff --git a/usr/local/www/services_dnsmasq.php b/usr/local/www/services_dnsmasq.php index 2313588..1d67b6f 100755 --- a/usr/local/www/services_dnsmasq.php +++ b/usr/local/www/services_dnsmasq.php @@ -50,6 +50,7 @@ $pconfig['regdhcpstatic'] = isset($config['dnsmasq']['regdhcpstatic']); $pconfig['dhcpfirst'] = isset($config['dnsmasq']['dhcpfirst']); $pconfig['strict_order'] = isset($config['dnsmasq']['strict_order']); $pconfig['domain_needed'] = isset($config['dnsmasq']['domain_needed']); +$pconfig['no_private_reverse'] = isset($config['dnsmasq']['no_private_reverse']); $pconfig['custom_options'] = $config['dnsmasq']['custom_options']; if (!is_array($config['dnsmasq']['hosts'])) @@ -73,6 +74,7 @@ if ($_POST) { $config['dnsmasq']['dhcpfirst'] = ($_POST['dhcpfirst']) ? true : false; $config['dnsmasq']['strict_order'] = ($_POST['strict_order']) ? true : false; $config['dnsmasq']['domain_needed'] = ($_POST['domain_needed']) ? true : false; + $config['dnsmasq']['no_private_reverse'] = ($_POST['no_private_reverse']) ? true : false; $config['dnsmasq']['custom_options'] = str_replace("\r\n", "\n", $_POST['custom_options']); if ($config['dnsmasq']['custom_options']) { @@ -196,7 +198,7 @@ function show_advanced_dns() { </td> </tr> <tr> - <td rowspan="2" width="22%" valign="top" class="vncellreq"><?=gettext("DNS Query Forwarding");?></td> + <td rowspan="3" width="22%" valign="top" class="vncellreq"><?=gettext("DNS Query Forwarding");?></td> <td width="78%" class="vtable"><p> <input name="strict_order" type="checkbox" id="strict_order" value="yes" <?php if ($pconfig['strict_order'] == "yes") echo "checked";?>> <strong><?=gettext("Query DNS servers sequentially");?><br> @@ -217,6 +219,17 @@ function show_advanced_dns() { </td> </tr> <tr> + <td width="78%" class="vtable"><p> + <input name="no_private_reverse" type="checkbox" id="no_private_reverse" value="yes" <?php if ($pconfig['no_private_reverse'] == "yes") echo "checked";?>> + <strong><?=gettext("Do not forward private reverse lookups");?><br> + </strong><?php printf(gettext("If this option is set, %s DNS Forwarder (dnsmasq) will ". + "not forward reverse DNS lookups (PTR) for private addresses (RFC 1918) to upstream name servers. ". + "Any entries in the Domain Overrides section forwarding private \"n.n.n.in-addr.arpa\" names to a specific server are still forwarded. ". + "If the IP to name is not known from /etc/hosts, DHCP or a specific domain override then a \"not found\" answer is immediately returned. ". + ""), $g['product_name']); ?></p> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Advanced");?></td> <td width="78%" class="vtable"><p> <div id="showadvbox" <?php if ($pconfig['custom_options']) echo "style='display:none'"; ?>> |