Hi,Love the software, just an observation, the manual at https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html states for --no-ident:
*--no-ident*
Do not respond to class CHAOS and type TXT in domain bind queries.
Without this option being set, the cache statistics are also
available in the DNS as answers to queries of class CHAOS and type
TXT in domain bind. The domain names are cachesize.bind,
insertions.bind, evictions.bind, misses.bind, hits.bind, auth.bind
and servers.bind unless disabled at compile-time. An example command
to query this, using the *dig* utility would be
dig +short chaos txt cachesize.bind
However looking at the code (src/option.c):
6096 /* Add TXT records if wanted */
6097 #ifndef NO_ID
6098 if (!option_bool(OPT_NO_IDENT))
6099 {
6100 add_txt("version.bind", "dnsmasq-" VERSION, 0 );
6101 add_txt("authors.bind", "Simon Kelley", 0);
6102 add_txt("copyright.bind", COPYRIGHT, 0);
6103 add_txt("cachesize.bind", NULL, TXT_STAT_CACHESIZE);
6104 add_txt("insertions.bind", NULL, TXT_STAT_INSERTS);
6105 add_txt("evictions.bind", NULL, TXT_STAT_EVICTIONS);
6106 add_txt("misses.bind", NULL, TXT_STAT_MISSES);
6107 add_txt("hits.bind", NULL, TXT_STAT_HITS);
6108 #ifdef HAVE_AUTH
6109 add_txt("auth.bind", NULL, TXT_STAT_AUTH);
6110 #endif
6111 add_txt("servers.bind", NULL, TXT_STAT_SERVERS);
6112 }
6113 #endif
There's technically 3 further additional domain names which are not
documented:
* auth.bind * *authors.bind* * cachesize.bind * *copyright.bind* * evictions.bind * hits.bind * insertions.bind * misses.bind * servers.bind * *version.bind*This could lead a reader to not realise that "version.bind" is a potential information disclosure issue (for those who worry about that sort of thing, especially with the recent patched vulnerabilities) or how one could disable that specifically.
Also may I respectfully suggest for your consideration: 1. auth.bind could do with explaining in the manual that it's the "(number of authoritative queries answered)" and nothing to do with authentication, DNSSEC auth-ed queries etc. etc. 2. servers.bind could also explain "(in the format <<Address#Port>> <<TotalQueries>> <<FailedQueries>>)" 3. Maybe some DNSSEC stats could also be available in DNS (if all the other stats are), "crypto.bind", "subqueries.bind", "sigfail.bind" that appear in the usual statistics message? 4. Maybe access to the stale stats "stale.bind"? Kind Regards, Matthew
_______________________________________________ Dnsmasq-discuss mailing list [email protected] https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。