[Dnsmasq-discuss] dnsmasq to provide public DNS service

Mark Steward marksteward at gmail.com
Thu Jul 14 02:32:00 BST 2016


I'm not sure about that conclusion. The overwhelming likelihood is that
your ISP is blocking UDP on port 53. This is very common on domestic ISPs,
precisely to stop people shooting themselves in the foot by running open
resolvers.

I've only skim-read this thread. Did you properly test listening on UDP 53
with nc -u -l53 or equivalent? Could you reach it from another machine on
the internet? If not, that's your problem, not dnsmasq.

If you do convince your ISP to open up access, can I recommend you at least
use port knocking to reduce the likelihood of being used by botnets?
Honeypots demonstrate that an open service on IPv4 will often be picked up
in hours.

Mark

On 14 Jul 2016 01:57, "T o n g" <mlist4suntong at yahoo.com> wrote:

> On Sun, 10 Jul 2016 21:50:03 +0200, Albert ARIBAUD wrote:
>
> > Regarding running the DNS on TCP alone: problem is, you might force the
> > dig command to use TCP, but that's a specific case; all DNS resolutions
> > happening on your machine in any other process that dug will keep on
> > trying UDP first when the request size warrants it, because that's the
> > standard.
>
> That's not a problem for me. If I have to use TCP, then I'll always use
> `dig +tcp`, so UDP will never be in the way.
>
> > OK, so no blocking at your box level except for what fail2ban may decide
> > to block. Now we're faily sure your probelm is with either your ISP or
> > your hosting provider.
>
> After struggled for a few days, I finally decided that I should reply, to
> bring some closure on this. Thank you for all these days of your tireless
> help. However, my conclusion is still the same as my first post -- dnsmasq
> is unable to provide public DNS service -- It can be used as DNS server
> for local host, or local network, but just not for the general public.
> We've ruled out everything possible, and the only thing left is dnsmasq.
>
> I.e., if there is any probelm with my ISP or my hosting provider, I
> wouldn't have been able to start a working second SSH session listening
> to port 53 (instead of 22).
>
> In other words, all else the same, swap in SSH to listen to port 53, it
> works; swap in dnsmasq, and it fails. With all else the same, dnsmasq is
> the only problem.
>
> Thanks anyway for all your helps.
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160714/95104d10/attachment.html>


More information about the Dnsmasq-discuss mailing list