[Dnsmasq-discuss] Limit DNS queries to the local subnet clients

Brian Rak brak at gameservers.com
Fri Nov 29 19:03:11 GMT 2013 

Your initial answer seems to assume that if you don't tell anyone about 
your DNS server, no one will discover it.  That's pretty much wrong.  
Every public IP on the internet is going to be probed looking for open 
DNS servers to abuse multiple times a day.

Also, assuming that everyone is in a trusted, internal lan is not a 
valid assumption.  With various virtualization platforms using dnsmasq 
for DNS/DHCP, I'd say it's increasingly being used in places where it's 
directly exposed to the internet.

On 11/29/2013 10:34 AM, Don Muller wrote:
> Yes if dmsmasq was open to internet but that would not prevent the request from coming in, just from it being answered. The question was how limit dnsmasq to answer DNS queries only to clients of the subnet served by dnsmasq or to a defined subnet. So assuming it is in a controlled environment (internal lan) if you don't setup the other subnets to send requests to dnamasq then it would only receive requests on the subnets you do want to service. Besides why would you want to set up the dns resolver on subnets you were not going to answer? I think the answer to this is better network set up on the client subnets and also at the routers and firewalls.
>
> Don
>
>> -----Original Message-----
>> From: Brian Rak [mailto:brak at gameservers.com]
>> Sent: Friday, November 29, 2013 9:45 AM
>> To: Don Muller; dnsmasq-discuss at lists.thekelleys.org.uk
>> Subject: Re: [Dnsmasq-discuss] Limit DNS queries to the local subnet
>> clients
>>
>> That's how you end up with an open DNS resolver, and unwittingly DDOS
>> other machines.
>>
>> On 11/28/2013 10:52 PM, Don Muller wrote:
>>> Wouldn't it be better to not define dnsmasq as the DNS resolver for
>> the subnets you don't want handle.
>>> Sent from my iPad
>>>
>>> Don Muller
>>>
>>>> On Nov 28, 2013, at 12:26 PM, Édouard Thuleau <thuleau at gmail.com>
>> wrote:
>>>> Hi,
>>>>
>>>> I'm new with dnsmasq and I like to know if we can limit it to answer
>>>> DNS queries only to clients of the subnet served by dnsmasq or to a
>>>> defined subnet ?
>>>>
>>>> Regards,
>>>> Édouard.
>>>>
>>>> _______________________________________________
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list