[Dnsmasq-discuss] Recursive DNS on dnsmasq
simon at thekelleys.org.uk
Tue Feb 25 20:50:22 UTC 2014
I agree that this is definitely a packaging issue rather than an
"upstream" one. Unfortunately, as Debian packager for dnsmasq as well as
maintainer, I'm still on the hook! There's an open bug against the
Debian dnsmasq package that makes the same point as the OP here.
The problem is that pretty difficult to do anything automatically. You
can limit dnsmasq to the loopback interface, which would be safe, but
break an awful lot of existing installations. Something I'm wondering
about in Debian is to limit to 127.0.0.1 for new installations, but not
upgrades. I've not yet worked out how to actually implement that, though.
On 25/02/14 17:53, Albert ARIBAUD wrote:
> Le 25/02/2014 18:36, Jeroen van der Ham a écrit :
>> On 25 Feb 2014, at 17:04, Albert ARIBAUD <albert.aribaud at free.fr>
>>> It is possible, however I think it is not the province of dnsmasq
>>> itself, but of packagers who integrate dnsmasq in distributions --
>>> and of system admins, who can and should go beyond simply
>>> installing the package.
>> The problem is that dnsmasq is now increasingly being used on systems
>> where you have less than clueful system administrators. You see now
>> that OpenWRT includes it in their system, but also newer versions of
>> Ubuntu come with it installed by default.
> Yes, they do; I am running one actually right now, and its dnsmasq
> configuration is safe since it only listens on 127.0.0.1 and therefore
> won't answer as an open DNS -- that's what I meant by 'this is the
> province of packagers who integrate dnsmasq'.
> I can't vouch for OpenWRT, though.
>> dnsmasq serves as a DHCP and DNS server, so it should really know for
>> who it should serve recursive queries, right?
> Hmm, no. DHCP is not tightly linked to DNS. Hosts can perfectly run in a
> network without doing any DHCP but still use DNS; and conversively, a
> host mught use DHCP from dnsmasq but run its own DNS for various reasons.
>>> Personally, I have configured not only dnsmasq but also iptables
>>> and ip6tables so that my local dnsmasq does not serve as an open
>> I assume a secure by default configuration for almost everything I
> I prefer checking rather than assuming :) but yes, the default
> configuration should be secure; however the default configuration for
> any package will differ from distro to distro, and is usually reviewed
> and safe.
> At most, one might want dnsmasq to behave as safely as possible without
> any configuration at all, but then, it won't have an upstream server
> configured, so it won't be able to resolve at all, and would thus be a
> poor open NS.
More information about the Dnsmasq-discuss