[Dnsmasq-discuss] DNSMasq and DNS reflection attacks
simon at thekelleys.org.uk
Fri Oct 25 10:52:24 BST 2013
On 24/10/13 18:11, Brian Rak wrote:
> Ah, but that's the problem. The machines I'm referring to only have one
> interface. So, I'm primarily running this on virtual machine hosts. They
> have one connection to the internet, and no internal network.
> So, for example we have a virtual machine host running with eth0 being
> 198.51.100.10. DNSMasq is configured to listen on eth0 and provide
> 198.51.100.11-198.51.100.15 for any virtual machines that start up
> (virtual machines are recognized by preconfigured static leases, all
> other DHCP requests are ignored). The virtual machines are all bridged
> to the eth0 interface, and have no other connectivity.
> I should also note that my primary concern is preventing my machines
> from being abused to attack other people's machines. Cases where someone
> would abuse my DNS server to attack my own machines are not currently a
> concern (as they're significantly easier to block).
There's nothing in dnsmasq to mitigate this situation. I suppose that an
option to only reply to queries from local subnet(s) would do it, but I
think once you're in this place, a firewall rule to block incoming port
53 UDP is the simplest, most obvious and most correct solution.
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
More information about the Dnsmasq-discuss