On 05/07/2015 05:58 AM, Michal Privoznik wrote:
On 06.05.2015 15:29, Cédric Bosdonnat wrote:
> When building vlans on top of veth networks, dnsmasq doesn't catch
> DNS requests on the vlans interfaces. Allowing to disable the
> bind-dynamic helps this use case.
> ---
>
> /* using --bind-dynamic with only --interface (no
> * --listen-address) prevents dnsmasq from responding to dns
> * queries that arrive on some interface other than our bridge
>
Since this is not the first request I see to disable dynamic bind I
think it's really needed. I'm too lazy to dig out the other requests
from history (maybe it was a bugzilla I saw, or an IRC chat, or here on
the list, ...).
The problem is that we started using --bind-dynamic in response to
CVE-2012-3411:
https://bugzilla.redhat.com/show_bug.cgi?id=833033
For more history, look at commit 753ff83a (when --bind-dynamic was
originally added, resolving the CVE), d66eb786 (which re-removed
listening on localhost, accidentally removed in the previous commit),
then finally commit 4b31da34 (which made a similar fix available for
older dnsmasq versions that don't have bind-dynamic and don't require it).
I think using --bind-dynamic is too big a stick for this problem -
instead maybe we should see if there's a reasonable way to update the
interface list to add and remove the veth interfaces as the lxc domains
are started and stopped (the complication here is that dnsmasq would
probably need to be restarted after changing the interface list, since
it drops all capabilities and changes to user "nobody" immediately after
its initialization.
I also remember somebody asking about the behavior that is caused by
bind-dynamic, but can't find it right now via google or in my irc logs.
So likely it would be good to add such an option anyway, just not named
"binddynamic" (the name of that option doesn't make any sense even in
the context of dnsmasq! :-P). Instead, it should be called something
like "publiclyAccessible" (that's a bit long, but you get the idea), so:
<dns publiclyAccessible='yes'/>
Again, though, I don't think users of LXC domains should be forced to
throw such a big switch just to get DNS working for their guests.