[Dnsmasq-discuss] Limit DNS queries to the local subnet clients

Édouard Thuleau thuleau at gmail.com
Thu Dec 5 07:56:56 GMT 2013


In OpenStack, a dedicated isolated (through network namespaces) port
is created to bind dnsmasq.
My problem is if I create a public network/subnet (like a network
routed on internet or another WAN) with Neutron and activate the IPAM
(DHCP & DNS cache) service on it, other network routed with that
public network can access to my IPAM port and use it as DNS resolver.
And in the case of a network routed on internet, all the word can
access it and could use it as an open DNS and
unwittingly DDOS other machines.

So my question is 'Can I limit dnsmasq to answer DNS queries only to
clients of the subnet served by dnsmasq or to a defined subnet ?'.
If not, I will add ACL on the dnsmasq port.

Édouard.

On Sat, Nov 30, 2013 at 3:34 AM, Jim Alles <kb3tbx at gmail.com> wrote:
> Édouard Thuleau <thuleau at gmail.com> wrote:
> Nov 28 (1 day ago)
> to dnsmasq-discuss
> Hi,
>
> I'm new with dnsmasq and I like to know if we can limit it to answer
> DNS queries only to clients of the subnet served by dnsmasq or to a
> defined subnet ?
>
> Regards,
> Édouard.
> ________________
>
> Is it not as simple as this?
>
> "One you will probably want to do is tell dnsmasq which ethernet
> interface it can and cannot listen on, as we really don't want it
> listening on the internet. By default dnsmasq offers DNS service on
> all the configured interfaces of a host. It's likely that you don't
> (for instance) want to offer a DNS service to the world via an
> interface connected to ADSL or cable-modem so dnsmasq allows you to
> specify which interfaces it will listen on. Use either the interface
> or address options to do this.
>
> If I didn't edit this line, it would also listen on eth0, my internet
> connection. I personally wouldn't recommend this, as it gives those
> evil guys a few doors to try to break into.
>
> except-interface=<WAN interface name (ethN)>"
>
> Peace,
>
> Jim Alles



More information about the Dnsmasq-discuss mailing list