[Dnsmasq-discuss] Recursive DNS on dnsmasq
albert.aribaud at free.fr
Tue Feb 25 17:53:58 UTC 2014
Le 25/02/2014 18:36, Jeroen van der Ham a écrit :
> On 25 Feb 2014, at 17:04, Albert ARIBAUD <albert.aribaud at free.fr>
>> It is possible, however I think it is not the province of dnsmasq
>> itself, but of packagers who integrate dnsmasq in distributions --
>> and of system admins, who can and should go beyond simply
>> installing the package.
> The problem is that dnsmasq is now increasingly being used on systems
> where you have less than clueful system administrators. You see now
> that OpenWRT includes it in their system, but also newer versions of
> Ubuntu come with it installed by default.
Yes, they do; I am running one actually right now, and its dnsmasq
configuration is safe since it only listens on 127.0.0.1 and therefore
won't answer as an open DNS -- that's what I meant by 'this is the
province of packagers who integrate dnsmasq'.
I can't vouch for OpenWRT, though.
> dnsmasq serves as a DHCP and DNS server, so it should really know for
> who it should serve recursive queries, right?
Hmm, no. DHCP is not tightly linked to DNS. Hosts can perfectly run in a
network without doing any DHCP but still use DNS; and conversively, a
host mught use DHCP from dnsmasq but run its own DNS for various reasons.
>> Personally, I have configured not only dnsmasq but also iptables
>> and ip6tables so that my local dnsmasq does not serve as an open
> I assume a secure by default configuration for almost everything I
I prefer checking rather than assuming :) but yes, the default
configuration should be secure; however the default configuration for
any package will differ from distro to distro, and is usually reviewed
At most, one might want dnsmasq to behave as safely as possible without
any configuration at all, but then, it won't have an upstream server
configured, so it won't be able to resolve at all, and would thus be a
poor open NS.
More information about the Dnsmasq-discuss