On 05/07/2015 05:58 AM, Michal Privoznik wrote: > On 06.05.2015 15:29, Cédric Bosdonnat wrote: >> When building vlans on top of veth networks, dnsmasq doesn't catch >> DNS requests on the vlans interfaces. Allowing to disable the >> bind-dynamic helps this use case. >> --- >> >> /* using --bind-dynamic with only --interface (no >> * --listen-address) prevents dnsmasq from responding to dns >> * queries that arrive on some interface other than our bridge >> > Since this is not the first request I see to disable dynamic bind I > think it's really needed. I'm too lazy to dig out the other requests > from history (maybe it was a bugzilla I saw, or an IRC chat, or here on > the list, ...). The problem is that we started using --bind-dynamic in response to CVE-2012-3411: https://bugzilla.redhat.com/show_bug.cgi?id=833033 For more history, look at commit 753ff83a (when --bind-dynamic was originally added, resolving the CVE), d66eb786 (which re-removed listening on localhost, accidentally removed in the previous commit), then finally commit 4b31da34 (which made a similar fix available for older dnsmasq versions that don't have bind-dynamic and don't require it). I think using --bind-dynamic is too big a stick for this problem - instead maybe we should see if there's a reasonable way to update the interface list to add and remove the veth interfaces as the lxc domains are started and stopped (the complication here is that dnsmasq would probably need to be restarted after changing the interface list, since it drops all capabilities and changes to user "nobody" immediately after its initialization. I also remember somebody asking about the behavior that is caused by bind-dynamic, but can't find it right now via google or in my irc logs. So likely it would be good to add such an option anyway, just not named "binddynamic" (the name of that option doesn't make any sense even in the context of dnsmasq! :-P). Instead, it should be called something like "publiclyAccessible" (that's a bit long, but you get the idea), so: <dns publiclyAccessible='yes'/> Again, though, I don't think users of LXC domains should be forced to throw such a big switch just to get DNS working for their guests. -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list