[Dnsmasq-discuss] Limit DNS queries to the local subnet clients

Édouard Thuleau thuleau at gmail.com
Fri Nov 29 17:29:55 GMT 2013


Yes.
In fact, I use dnsmasq in context of OpenStack [1] for a public cloud.
Neutron OpenStack project provides "networking as a service" between
interface devices (e.g., vNICs) managed by other Openstack services.

By default, when a net/subnet is created, the first IP is use as
gateway and the second (or more for HA) as IPAM (DHCP and DNS).
Only IP nameservers of the subnet are provided to clients by the DHCP
lease. But if 2 subnets are rooted, it easy to find the DNS IP of the
other subnet and use it. In generaly, it's not a big problem because
only subnet of a tenant could be rooted together.

But in my case, I also need to create a public network rooted on
internet. Neutron create also a IPAM port on that network. So my DNS
IP is accessible on internet and could be use as an open DNS and
unwittingly DDOS other machines.

So I like to patch Neutron to limit dnsmasq to answer DNS queries only
to clients of the subnet served by dnsmasq.
I'm looking if it's configurable with dnsmasq options. If not, I will
add filtering rule on dnsmasq port.

[1] http://www.openstack.org/

Regards,
Édouard.

On Fri, Nov 29, 2013 at 4:34 PM, Don Muller <don at djmuller.com> wrote:
> Yes if dmsmasq was open to internet but that would not prevent the request from coming in, just from it being answered. The question was how limit dnsmasq to answer DNS queries only to clients of the subnet served by dnsmasq or to a defined subnet. So assuming it is in a controlled environment (internal lan) if you don't setup the other subnets to send requests to dnamasq then it would only receive requests on the subnets you do want to service. Besides why would you want to set up the dns resolver on subnets you were not going to answer? I think the answer to this is better network set up on the client subnets and also at the routers and firewalls.
>
> Don
>
>> -----Original Message-----
>> From: Brian Rak [mailto:brak at gameservers.com]
>> Sent: Friday, November 29, 2013 9:45 AM
>> To: Don Muller; dnsmasq-discuss at lists.thekelleys.org.uk
>> Subject: Re: [Dnsmasq-discuss] Limit DNS queries to the local subnet
>> clients
>>
>> That's how you end up with an open DNS resolver, and unwittingly DDOS
>> other machines.
>>
>> On 11/28/2013 10:52 PM, Don Muller wrote:
>> > Wouldn't it be better to not define dnsmasq as the DNS resolver for
>> the subnets you don't want handle.
>> >
>> > Sent from my iPad
>> >
>> > Don Muller
>> >
>> >> On Nov 28, 2013, at 12:26 PM, Édouard Thuleau <thuleau at gmail.com>
>> wrote:
>> >>
>> >> Hi,
>> >>
>> >> I'm new with dnsmasq and I like to know if we can limit it to answer
>> >> DNS queries only to clients of the subnet served by dnsmasq or to a
>> >> defined subnet ?
>> >>
>> >> Regards,
>> >> Édouard.
>> >>
>> >> _______________________________________________
>> >> Dnsmasq-discuss mailing list
>> >> Dnsmasq-discuss at lists.thekelleys.org.uk
>> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>> > _______________________________________________
>> > Dnsmasq-discuss mailing list
>> > Dnsmasq-discuss at lists.thekelleys.org.uk
>> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



More information about the Dnsmasq-discuss mailing list