[Dnsmasq-discuss] Limit DNS queries to the local subnet clients

Brian Rak brak at gameservers.com
Fri Nov 29 19:45:51 GMT 2013


You seem to be a bit confused about how the attack works. It's not directed at the dnsmasq server.  The attacker uses Spode's traffic to trick dnsmasq into attacking a remote server. DNS replies proceed amplification and anonymity to the attacks. Dropping outgoing DNS replies will prevent the server from being abused.

On a daily basis I deal with mis configured servers that are attacking my machines. While perimiter defenses are great in theory defense in depth is what you want for real networks

Don Muller <don at djmuller.com> wrote:
>I agree with what you are saying but I think you are missing the point
>of the question. The poster only wanted dnsmasq to respond to certain
>subnets. The place to do that is not in dnsmasq but at the perimeter.
>Setting up dnsmasq to not respond does not stop the traffic from coming
>in, it just stops it from responding. The place to stop any type of
>attack is at the perimeter and not someplace inside the network. For
>internal networks don't set up dnsmasq as your DNS resolver and you
>don't have to tell dnsmasq to not respond.
>
>Sent from my iPad
>
>Don Muller
>
>> On Nov 29, 2013, at 2:03 PM, Brian Rak <brak at gameservers.com> wrote:
>> 
>> Your initial answer seems to assume that if you don't tell anyone
>about your DNS server, no one will discover it.  That's pretty much
>wrong.  Every public IP on the internet is going to be probed looking
>for open DNS servers to abuse multiple times a day.
>> 
>> Also, assuming that everyone is in a trusted, internal lan is not a
>valid assumption.  With various virtualization platforms using dnsmasq
>for DNS/DHCP, I'd say it's increasingly being used in places where it's
>directly exposed to the internet.
>> 
>>> On 11/29/2013 10:34 AM, Don Muller wrote:
>>> Yes if dmsmasq was open to internet but that would not prevent the
>request from coming in, just from it being answered. The question was
>how limit dnsmasq to answer DNS queries only to clients of the subnet
>served by dnsmasq or to a defined subnet. So assuming it is in a
>controlled environment (internal lan) if you don't setup the other
>subnets to send requests to dnamasq then it would only receive requests
>on the subnets you do want to service. Besides why would you want to
>set up the dns resolver on subnets you were not going to answer? I
>think the answer to this is better network set up on the client subnets
>and also at the routers and firewalls.
>>> 
>>> Don
>>> 
>>>> -----Original Message-----
>>>> From: Brian Rak [mailto:brak at gameservers.com]
>>>> Sent: Friday, November 29, 2013 9:45 AM
>>>> To: Don Muller; dnsmasq-discuss at lists.thekelleys.org.uk
>>>> Subject: Re: [Dnsmasq-discuss] Limit DNS queries to the local
>subnet
>>>> clients
>>>> 
>>>> That's how you end up with an open DNS resolver, and unwittingly
>DDOS
>>>> other machines.
>>>> 
>>>>> On 11/28/2013 10:52 PM, Don Muller wrote:
>>>>> Wouldn't it be better to not define dnsmasq as the DNS resolver
>for
>>>> the subnets you don't want handle.
>>>>> Sent from my iPad
>>>>> 
>>>>> Don Muller
>>>>> 
>>>>>> On Nov 28, 2013, at 12:26 PM, Édouard Thuleau <thuleau at gmail.com>
>>>> wrote:
>>>>>> Hi,
>>>>>> 
>>>>>> I'm new with dnsmasq and I like to know if we can limit it to
>answer
>>>>>> DNS queries only to clients of the subnet served by dnsmasq or to
>a
>>>>>> defined subnet ?
>>>>>> 
>>>>>> Regards,
>>>>>> Édouard.
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Dnsmasq-discuss mailing list
>>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>> _______________________________________________
>>>>> Dnsmasq-discuss mailing list
>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>> 
>>> 
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20131129/2ea7747e/attachment-0001.html>


More information about the Dnsmasq-discuss mailing list