[Dnsmasq-discuss] DNSMasq and DNS reflection attacks

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Thu Oct 24 17:29:13 BST 2013


On 24/10/2013 17:03, Brian Rak wrote:
> We've recently undertaken a project to clean up our network, and lock
> down all the open DNS resolvers.  As you may know, these are very
> frequently used for DDOS attacks: http://openresolverproject.org/ ,
> http://www.team-cymru.org/Services/Resolvers/ .
>
> I haven't been able to find any sort of configuration option that
> would prevent DNSMasq from being abused like this, and I've had to
> resort to iptables rules instead.  Is there a configuration option
> that that would disable responding to DNS queries from certain
> interfaces?  The other option that seems handy would be one to only
> reply to DNS queries from hosts that have a configured DHCP lease.
>
> Are there any features of DNSMasq that would prevent it from being
> abused to conduct attacks?
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

I instantly thought of the '-interface' & '-except-interface' options. 
I'm probably missing something.

-- 
Cheers,

Kevin at Darbyshire-Bryant.me.uk {TB}
M: +44 7947 355344 H: +44 1256 478597


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3768 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20131024/428183b5/attachment.bin>


More information about the Dnsmasq-discuss mailing list