Merge pull request #463 from phil-davis/master

Add DNS Forwarder option to not forward private reverse lookups

1 files changed, 13 insertions, 0 deletions

diff --git a/etc/inc/services.inc b/etc/inc/services.inc
index 8c69cb0..03325cd 100644
--- a/etc/inc/services.inc
+++ b/etc/inc/services.inc
@@ -1565,6 +1565,19 @@ function services_dnsmasq_configure() {
 			}
 		}
 
+		/* If selected, then forward reverse lookups for private IPv4 addresses to nowhere. */
+		if (isset($config['dnsmasq']['no_private_reverse'])) {
+			/* Note: Carrier Grade NAT (CGN) addresses 100.64.0.0/10 are intentionally not here. */
+			/* End-users should not be aware of CGN addresses, so reverse lookups for these should not happen. */
+			/* Just the pfSense WAN might get a CGN address from an ISP. */
+			$args .= " --server=/10.in-addr.arpa/ ";
+			$args .= " --server=/168.192.in-addr.arpa/ ";
+			/* Unfortunately the 172.16.0.0/12 range does not map nicely to the in-addr.arpa scheme. */
+			for ($subnet_num = 16; $subnet_num < 32; $subnet_num++) { 
+				$args .= " --server=/" . $subnet_num . ".172.in-addr.arpa/ ";
+			}
+		}
+
 		/* Allow DNS Rebind for forwarded domains */
 		if (isset($config['dnsmasq']['domainoverrides']) && is_array($config['dnsmasq']['domainoverrides'])) {
 			if(!isset($config['system']['webgui']['nodnsrebindcheck'])) {