From 7bdd28fb7e0b0ac9a8b814090c8b0a4029c87b10 Mon Sep 17 00:00:00 2001
From: Phil Davis <phil.davis@world.inf.org>
Date: Wed, 6 Mar 2013 17:56:21 +0545
Subject: Add DNS Forwarder option to not forward private reverse lookups

Currently, reverse lookups of private IP addresses that are not resolved on the pfSense box itself (e.g. like 192.168.42.43) are forwarded to the default DNS servers. For most use cases, those PTR queries go out to the real internet, when they actually have no chance of a successful answer. This loads up the real internet DNS servers with rubbish requests and also causes a round-trip delay before dnsmasq can reply with a "not found".
This change tells dnsmasq not to forward these requests.
Note that users can add specific domain overrides, which are implemented before this option. So a user can forward "1.168.192.in-addr.arpa" to an internal DNS server that knows about 192.168.1.0/24 - and then turn on this new option and all other requests for private reverse lookups will not be forwarded.
---
 usr/local/www/services_dnsmasq.php | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'usr/local/www/services_dnsmasq.php')

diff --git a/usr/local/www/services_dnsmasq.php b/usr/local/www/services_dnsmasq.php
index 2313588..1d67b6f 100755
--- a/usr/local/www/services_dnsmasq.php
+++ b/usr/local/www/services_dnsmasq.php
@@ -50,6 +50,7 @@ $pconfig['regdhcpstatic'] = isset($config['dnsmasq']['regdhcpstatic']);
 $pconfig['dhcpfirst'] = isset($config['dnsmasq']['dhcpfirst']);
 $pconfig['strict_order'] = isset($config['dnsmasq']['strict_order']);
 $pconfig['domain_needed'] = isset($config['dnsmasq']['domain_needed']);
+$pconfig['no_private_reverse'] = isset($config['dnsmasq']['no_private_reverse']);
 $pconfig['custom_options'] = $config['dnsmasq']['custom_options'];
 
 if (!is_array($config['dnsmasq']['hosts']))
@@ -73,6 +74,7 @@ if ($_POST) {
 	$config['dnsmasq']['dhcpfirst'] = ($_POST['dhcpfirst']) ? true : false;
 	$config['dnsmasq']['strict_order'] = ($_POST['strict_order']) ? true : false;
 	$config['dnsmasq']['domain_needed'] = ($_POST['domain_needed']) ? true : false;
+	$config['dnsmasq']['no_private_reverse'] = ($_POST['no_private_reverse']) ? true : false;
 	$config['dnsmasq']['custom_options'] = str_replace("\r\n", "\n", $_POST['custom_options']);
 
 	if ($config['dnsmasq']['custom_options']) {
@@ -196,7 +198,7 @@ function show_advanced_dns() {
 		</td>
 	</tr>
 	<tr>
-		<td rowspan="2" width="22%" valign="top" class="vncellreq"><?=gettext("DNS Query Forwarding");?></td>
+		<td rowspan="3" width="22%" valign="top" class="vncellreq"><?=gettext("DNS Query Forwarding");?></td>
 		<td width="78%" class="vtable"><p>
 			<input name="strict_order" type="checkbox" id="strict_order" value="yes" <?php if ($pconfig['strict_order'] == "yes") echo "checked";?>>
 			<strong><?=gettext("Query DNS servers sequentially");?><br>
@@ -217,6 +219,17 @@ function show_advanced_dns() {
 		</td>
 	</tr>
 	<tr>
+		<td width="78%" class="vtable"><p>
+			<input name="no_private_reverse" type="checkbox" id="no_private_reverse" value="yes" <?php if ($pconfig['no_private_reverse'] == "yes") echo "checked";?>>
+			<strong><?=gettext("Do not forward private reverse lookups");?><br>
+			</strong><?php printf(gettext("If this option is set, %s DNS Forwarder (dnsmasq) will ".
+					"not forward reverse DNS lookups (PTR) for private addresses (RFC 1918) to upstream name servers.  ".
+					"Any entries in the Domain Overrides section forwarding private \"n.n.n.in-addr.arpa\" names to a specific server are still forwarded. ".
+					"If the IP to name is not known from /etc/hosts, DHCP or a specific domain override then a \"not found\" answer is immediately returned. ".
+					""), $g['product_name']); ?></p>
+		</td>
+	</tr>
+	<tr>
 		<td width="22%" valign="top" class="vncellreq"><?=gettext("Advanced");?></td>
 		<td width="78%" class="vtable"><p>
 			<div id="showadvbox" <?php if ($pconfig['custom_options']) echo "style='display:none'"; ?>>
-- 
cgit v1.1