diff options
author | Jim P <jim@pingle.org> | 2013-03-06 05:06:44 -0800 |
---|---|---|
committer | Jim P <jim@pingle.org> | 2013-03-06 05:06:44 -0800 |
commit | b710a07883fbc0a462e5aad6bf6f6d85f1126615 (patch) | |
tree | 1989b60dd6aa447a6929943ae86a3604827eeffb /etc | |
parent | dcddb2fa412f0b6bf9db089963ea56012c406e52 (diff) | |
parent | 0a7985ba3bcd0165eb06451c9e531d57c3cf17b7 (diff) | |
download | pfsense-b710a07883fbc0a462e5aad6bf6f6d85f1126615.zip pfsense-b710a07883fbc0a462e5aad6bf6f6d85f1126615.tar.gz |
Merge pull request #463 from phil-davis/master
Add DNS Forwarder option to not forward private reverse lookups
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/services.inc | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/etc/inc/services.inc b/etc/inc/services.inc index 8c69cb0..03325cd 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -1565,6 +1565,19 @@ function services_dnsmasq_configure() { } } + /* If selected, then forward reverse lookups for private IPv4 addresses to nowhere. */ + if (isset($config['dnsmasq']['no_private_reverse'])) { + /* Note: Carrier Grade NAT (CGN) addresses 100.64.0.0/10 are intentionally not here. */ + /* End-users should not be aware of CGN addresses, so reverse lookups for these should not happen. */ + /* Just the pfSense WAN might get a CGN address from an ISP. */ + $args .= " --server=/10.in-addr.arpa/ "; + $args .= " --server=/168.192.in-addr.arpa/ "; + /* Unfortunately the 172.16.0.0/12 range does not map nicely to the in-addr.arpa scheme. */ + for ($subnet_num = 16; $subnet_num < 32; $subnet_num++) { + $args .= " --server=/" . $subnet_num . ".172.in-addr.arpa/ "; + } + } + /* Allow DNS Rebind for forwarded domains */ if (isset($config['dnsmasq']['domainoverrides']) && is_array($config['dnsmasq']['domainoverrides'])) { if(!isset($config['system']['webgui']['nodnsrebindcheck'])) { |