[Dnsmasq-discuss] CVE-2020-25705 mitigation (SAD DNS)
Lonnie Abelbeck
lists at lonnie.abelbeck.com
Wed Dec 9 15:54:22 GMT 2020
> On Dec 9, 2020, at 4:38 AM, Petr Menšík <pemensik at redhat.com> wrote:
>
> I doubt limiting to 1221 can fix virtually anything. I doubt it would
> fix anything even on Windows. I am sure it would not prevent any attack
> on dnsmasq.
>
> I think the best mitigation would be blocking any external IP addresses
> to dnsmasq, only those configured as forwarder in dnsmasq should be allowed.
Yes, or configure dnsmasq to use a DNS-over-TLS (DoT) proxy over untrusted networks. For example stubby.
Lonnie
More information about the Dnsmasq-discuss
mailing list