dnsmasq configuration needs changes for 2.79
Looks like host overrides might need some adjustments with dnsmasq 2.79. It is not in builds yet but once master switches to the new quarterly branch it will be there.
From the Change Log
Always return a SERVFAIL answer to DNS queries without the
recursion desired bit set, UNLESS acting as an authoritative
DNS server. This avoids a potential route to cache snooping.
And from FreeBSD-ports UPDATING:
AFFECTS: users of dns/dnsmasq
Note that with dnsmasq 2.79, some parts of the interface have changed in an
incompatible way versus previous versions. This comprises changed recursion
behaviour, signature support, a change for SIGINT (vs. SIGHUP) behaviour.
Note especially that dnsmasq will no longer answer non-recursive queries
unless it is marked authoritative! Be sure to see the manual page for the
various --auth-* options, such as --auth-zone.
Please see the CHANGELOG that ships with dnsmasq for details.
#1 Updated by Jim Pingle over 1 year ago
- Status changed from New to Feedback
Existing behavior in the DNS Forwarder all appears to function as expected. Could use some additional confirmation but I don't think there is anything that needs adjusting based on how this is used in pfSense in a recursive resolver mode, even with host overrides.