What's Changed
DNS Security Audit Improvements
DNAT DNS Validation Fixes:
- Fixed IP range parsing for translated addresses (e.g.,
192.168.3.253-192.168.3.254) - Added dual-DNS support: accept configurations where DHCP DNS includes both gateway and third-party DNS
- Per-network DHCP DNS validation: each DNAT rule now validates against its specific network's DHCP DNS servers
- New destination filter validation: detect restricted destination filters that only catch some DNS bypass attempts
- Site-wide vs specialized DNS: third-party DNS only on Corporate networks is treated as specialized internal DNS
- Corporate networks exempt from DNS consistency checks (may use internal DNS)
- Reduced DNS probe timeouts from 3s to 1s for faster detection
New Issue Type:
DNS_DNAT_RESTRICTED_DESTINATION: Raised when DNAT rules have specific destination address without invert flag
Test Coverage:
- DnsSecurityAnalyzer coverage improved from 65.4% to 93.5% line coverage
- Added 20 new DNS security analyzer tests
Full Changelog: v0.10.8...v0.10.9