[Dnsmasq-discuss] Limit DNS queries to the local subnet clients

Don Muller don at djmuller.com
Fri Nov 29 19:19:22 GMT 2013


I agree with what you are saying but I think you are missing the point of the question. The poster only wanted dnsmasq to respond to certain subnets. The place to do that is not in dnsmasq but at the perimeter. Setting up dnsmasq to not respond does not stop the traffic from coming in, it just stops it from responding. The place to stop any type of attack is at the perimeter and not someplace inside the network. For internal networks don't set up dnsmasq as your DNS resolver and you don't have to tell dnsmasq to not respond.

Sent from my iPad

Don Muller

> On Nov 29, 2013, at 2:03 PM, Brian Rak <brak at gameservers.com> wrote:
> 
> Your initial answer seems to assume that if you don't tell anyone about your DNS server, no one will discover it.  That's pretty much wrong.  Every public IP on the internet is going to be probed looking for open DNS servers to abuse multiple times a day.
> 
> Also, assuming that everyone is in a trusted, internal lan is not a valid assumption.  With various virtualization platforms using dnsmasq for DNS/DHCP, I'd say it's increasingly being used in places where it's directly exposed to the internet.
> 
>> On 11/29/2013 10:34 AM, Don Muller wrote:
>> Yes if dmsmasq was open to internet but that would not prevent the request from coming in, just from it being answered. The question was how limit dnsmasq to answer DNS queries only to clients of the subnet served by dnsmasq or to a defined subnet. So assuming it is in a controlled environment (internal lan) if you don't setup the other subnets to send requests to dnamasq then it would only receive requests on the subnets you do want to service. Besides why would you want to set up the dns resolver on subnets you were not going to answer? I think the answer to this is better network set up on the client subnets and also at the routers and firewalls.
>> 
>> Don
>> 
>>> -----Original Message-----
>>> From: Brian Rak [mailto:brak at gameservers.com]
>>> Sent: Friday, November 29, 2013 9:45 AM
>>> To: Don Muller; dnsmasq-discuss at lists.thekelleys.org.uk
>>> Subject: Re: [Dnsmasq-discuss] Limit DNS queries to the local subnet
>>> clients
>>> 
>>> That's how you end up with an open DNS resolver, and unwittingly DDOS
>>> other machines.
>>> 
>>>> On 11/28/2013 10:52 PM, Don Muller wrote:
>>>> Wouldn't it be better to not define dnsmasq as the DNS resolver for
>>> the subnets you don't want handle.
>>>> Sent from my iPad
>>>> 
>>>> Don Muller
>>>> 
>>>>> On Nov 28, 2013, at 12:26 PM, Édouard Thuleau <thuleau at gmail.com>
>>> wrote:
>>>>> Hi,
>>>>> 
>>>>> I'm new with dnsmasq and I like to know if we can limit it to answer
>>>>> DNS queries only to clients of the subnet served by dnsmasq or to a
>>>>> defined subnet ?
>>>>> 
>>>>> Regards,
>>>>> Édouard.
>>>>> 
>>>>> _______________________________________________
>>>>> Dnsmasq-discuss mailing list
>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>> _______________________________________________
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>> 
>> 
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 



More information about the Dnsmasq-discuss mailing list