[Dnsmasq-discuss] Recursive DNS on dnsmasq

Jeroen van der Ham vdham at uva.nl
Tue Feb 25 15:50:14 UTC 2014


Hi,

If I install dnsmasq on a machine and start it with the default configuration, I end up with a host that has an open recursive DNS resolver. Meaning the host responds to queries from the entire Internet. I understand that dnsmasq is used as a service to bootstrap small networks, and you would like to have something that creates as little problems for the user by default. This has to be balanced with the security and safety of the Internet.

The problem is that dnsmasq also responds to spoofed UDP queries, which are actively used in DDoS attacks. Many ISPs and CERT teams are actively approaching users to disable these resolvers, so many users have to deal with it in the end.

Would it be possible to disable this default behaviour? To force the user to configure this himself? 
Or perhaps to restrict the resolving to the local subnet, so that it still works automatically for the end-user?

Regards,
Jeroen.





More information about the Dnsmasq-discuss mailing list