[Dnsmasq-discuss] DNSMasq and DNS reflection attacks

Simon Kelley simon at thekelleys.org.uk
Fri Oct 25 10:52:24 BST 2013


On 24/10/13 18:11, Brian Rak wrote:

> Ah, but that's the problem. The machines I'm referring to only have one
> interface. So, I'm primarily running this on virtual machine hosts. They
> have one connection to the internet, and no internal network.
>
> So, for example we have a virtual machine host running with eth0 being
> 198.51.100.10. DNSMasq is configured to listen on eth0 and provide
> 198.51.100.11-198.51.100.15 for any virtual machines that start up
> (virtual machines are recognized by preconfigured static leases, all
> other DHCP requests are ignored). The virtual machines are all bridged
> to the eth0 interface, and have no other connectivity.
>
> I should also note that my primary concern is preventing my machines
> from being abused to attack other people's machines. Cases where someone
> would abuse my DNS server to attack my own machines are not currently a
> concern (as they're significantly easier to block).

There's nothing in dnsmasq to mitigate this situation. I suppose that an 
option to only reply to queries from local subnet(s) would do it, but I 
think once you're in this place, a firewall rule to block incoming port 
53 UDP is the simplest, most obvious and most correct solution.

Cheers,

Simon.

>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>




More information about the Dnsmasq-discuss mailing list