[Dnsmasq-discuss] Recursive DNS on dnsmasq

Albert ARIBAUD albert.aribaud at free.fr
Tue Feb 25 16:04:28 UTC 2014


Le 25/02/2014 16:50, Jeroen van der Ham a écrit :
> Hi,
>
> If I install dnsmasq on a machine and start it with the default
> configuration, I end up with a host that has an open recursive DNS
> resolver. Meaning the host responds to queries from the entire
> Internet. I understand that dnsmasq is used as a service to bootstrap
> small networks, and you would like to have something that creates as
> little problems for the user by default. This has to be balanced with
> the security and safety of the Internet.
>
> The problem is that dnsmasq also responds to spoofed UDP queries,
> which are actively used in DDoS attacks. Many ISPs and CERT teams are
> actively approaching users to disable these resolvers, so many users
> have to deal with it in the end.
>
> Would it be possible to disable this default behaviour? To force the
> user to configure this himself? Or perhaps to restrict the resolving
> to the local subnet, so that it still works automatically for the
> end-user?

It is possible, however I think it is not the province of dnsmasq
itself, but of packagers who integrate dnsmasq in distributions -- and 
of system admins, who can and should go beyond simply installing the 
package.

Personally, I have configured not only dnsmasq but also iptables and 
ip6tables so that my local dnsmasq does not serve as an open DNS.

> Regards, Jeroen.

Amicalement,
-- 
Albert.



More information about the Dnsmasq-discuss mailing list