[Dnsmasq-discuss] restricting dnsmasq listen addresses
Simon Kelley
simon at thekelleys.org.uk
Mon Apr 9 22:07:20 BST 2007
Carla Schroder wrote:
> I want to limit dnsmasq to listen only on my LAN interfaces, but right now
> it's open to the world. This is my conf:
>
> domain-needed
> bogus-priv
> local=/alrac.net/
> expand-hosts
> domain=alrac.net
>
> #dnsmasq use own dns server
> listen-address=127.0.0.1
>
> #listen only on LAN addresses
> listen-address=192.168.1.50
> listen-address=192.168.2.50
>
> #upstream servers
> server=12.169.174.2
> server=12.169.174.3
>
> But both netstat and nmap confirm that Dnsmasq is listening to all interfaces,
> as this netstat output shows:
>
> # netstat -untap
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> PID/Program name
> tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
> 595/dnsmasq
> tcp6 0 0 :::53 :::* LISTEN
> 595/dnsmasq
> udp 0 0 0.0.0.0:53 0.0.0.0:*
> 595/dnsmasq
> udp 0 0 0.0.0.0:67 0.0.0.0:*
> 595/dnsmasq
> udp6 0 0 :::53 :::*
> 595/dnsmasq
>
> Nmap, run from a remote host with my firewall turned off, confirms that DNS is
> open to the world:
>
> PORT STATE SERVICE
> 53/tcp open domain
>
> Or it would be, without my nice iptables firewall.
>
> I have tried using various combinations of options, like
>
> interface=ath0
> interface=eth0
> except-interface=eth1
>
> But it still listens to all interfaces and addresses. Any ideas how to make it
> listen only on certain interfaces or addresses?
>
By default, dnsmasq rejects DNS queries in user space, not the kernel.
Nmap may think that DNS is open to the world, but DNS requests from the
world will be dropped.
If you want to have the kernel do the access control instead of dnsmasq
itself, use the "bind-interfaces" flag.
HTH
Simon.
More information about the Dnsmasq-discuss
mailing list