diff options
| author | Phil Davis <phil.davis@world.inf.org> | 2013-03-06 17:59:11 +0545 |
|---|---|---|
| committer | Phil Davis <phil.davis@world.inf.org> | 2013-03-06 17:59:11 +0545 |
| commit | 0a7985ba3bcd0165eb06451c9e531d57c3cf17b7 (patch) | |
| tree | 532a07325ccbdcfb085521a1ab495c9d1ba4dc84 /etc | |
| parent | 7bdd28fb7e0b0ac9a8b814090c8b0a4029c87b10 (diff) | |
| download | pfsense-0a7985ba3bcd0165eb06451c9e531d57c3cf17b7.zip pfsense-0a7985ba3bcd0165eb06451c9e531d57c3cf17b7.tar.gz | |
Add DNS Forwarder option to not forward private reverse lookups
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/services.inc | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/etc/inc/services.inc b/etc/inc/services.inc index 8c69cb0..03325cd 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -1565,6 +1565,19 @@ function services_dnsmasq_configure() { } } + /* If selected, then forward reverse lookups for private IPv4 addresses to nowhere. */ + if (isset($config['dnsmasq']['no_private_reverse'])) { + /* Note: Carrier Grade NAT (CGN) addresses 100.64.0.0/10 are intentionally not here. */ + /* End-users should not be aware of CGN addresses, so reverse lookups for these should not happen. */ + /* Just the pfSense WAN might get a CGN address from an ISP. */ + $args .= " --server=/10.in-addr.arpa/ "; + $args .= " --server=/168.192.in-addr.arpa/ "; + /* Unfortunately the 172.16.0.0/12 range does not map nicely to the in-addr.arpa scheme. */ + for ($subnet_num = 16; $subnet_num < 32; $subnet_num++) { + $args .= " --server=/" . $subnet_num . ".172.in-addr.arpa/ "; + } + } + /* Allow DNS Rebind for forwarded domains */ if (isset($config['dnsmasq']['domainoverrides']) && is_array($config['dnsmasq']['domainoverrides'])) { if(!isset($config['system']['webgui']['nodnsrebindcheck'])) { |
