[Dnsmasq-discuss] restricting dnsmasq listen addresses
Carla Schroder
carla at bratgrrl.com
Mon Apr 9 22:01:31 BST 2007
I want to limit dnsmasq to listen only on my LAN interfaces, but right now
it's open to the world. This is my conf:
domain-needed
bogus-priv
local=/alrac.net/
expand-hosts
domain=alrac.net
#dnsmasq use own dns server
listen-address=127.0.0.1
#listen only on LAN addresses
listen-address=192.168.1.50
listen-address=192.168.2.50
#upstream servers
server=12.169.174.2
server=12.169.174.3
But both netstat and nmap confirm that Dnsmasq is listening to all interfaces,
as this netstat output shows:
# netstat -untap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
595/dnsmasq
tcp6 0 0 :::53 :::* LISTEN
595/dnsmasq
udp 0 0 0.0.0.0:53 0.0.0.0:*
595/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:*
595/dnsmasq
udp6 0 0 :::53 :::*
595/dnsmasq
Nmap, run from a remote host with my firewall turned off, confirms that DNS is
open to the world:
PORT STATE SERVICE
53/tcp open domain
Or it would be, without my nice iptables firewall.
I have tried using various combinations of options, like
interface=ath0
interface=eth0
except-interface=eth1
But it still listens to all interfaces and addresses. Any ideas how to make it
listen only on certain interfaces or addresses?
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder
Linux geek and random computer tamer
check out my Linux Cookbook!
http://www.oreilly.com/catalog/linuxckbk/
best book for sysadmins and power users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Dnsmasq-discuss
mailing list