[Dnsmasq-discuss] DNSMasq and DNS reflection attacks

Brian Rak brak at gameservers.com
Thu Oct 24 17:03:57 BST 2013

We've recently undertaken a project to clean up our network, and lock 
down all the open DNS resolvers.  As you may know, these are very 
frequently used for DDOS attacks: http://openresolverproject.org/ , 
http://www.team-cymru.org/Services/Resolvers/ .

I haven't been able to find any sort of configuration option that would 
prevent DNSMasq from being abused like this, and I've had to resort to 
iptables rules instead.  Is there a configuration option that that would 
disable responding to DNS queries from certain interfaces?  The other 
option that seems handy would be one to only reply to DNS queries from 
hosts that have a configured DHCP lease.

Are there any features of DNSMasq that would prevent it from being 
abused to conduct attacks?

More information about the Dnsmasq-discuss mailing list