[Dnsmasq-discuss] Limit DNS queries to the local subnet clients

Édouard Thuleau thuleau at gmail.com
Thu Dec 5 08:22:00 GMT 2013

I found a recent thread [1] that already treats that problem [2].

Sorry for the noise and going to propose a patch for Neutron.

[1] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q4/thread.html#7707
[2] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q4/007721.html


On Thu, Dec 5, 2013 at 8:56 AM, Édouard Thuleau <thuleau at gmail.com> wrote:
> In OpenStack, a dedicated isolated (through network namespaces) port
> is created to bind dnsmasq.
> My problem is if I create a public network/subnet (like a network
> routed on internet or another WAN) with Neutron and activate the IPAM
> (DHCP & DNS cache) service on it, other network routed with that
> public network can access to my IPAM port and use it as DNS resolver.
> And in the case of a network routed on internet, all the word can
> access it and could use it as an open DNS and
> unwittingly DDOS other machines.
> So my question is 'Can I limit dnsmasq to answer DNS queries only to
> clients of the subnet served by dnsmasq or to a defined subnet ?'.
> If not, I will add ACL on the dnsmasq port.
> Édouard.
> On Sat, Nov 30, 2013 at 3:34 AM, Jim Alles <kb3tbx at gmail.com> wrote:
>> Édouard Thuleau <thuleau at gmail.com> wrote:
>> Nov 28 (1 day ago)
>> to dnsmasq-discuss
>> Hi,
>> I'm new with dnsmasq and I like to know if we can limit it to answer
>> DNS queries only to clients of the subnet served by dnsmasq or to a
>> defined subnet ?
>> Regards,
>> Édouard.
>> ________________
>> Is it not as simple as this?
>> "One you will probably want to do is tell dnsmasq which ethernet
>> interface it can and cannot listen on, as we really don't want it
>> listening on the internet. By default dnsmasq offers DNS service on
>> all the configured interfaces of a host. It's likely that you don't
>> (for instance) want to offer a DNS service to the world via an
>> interface connected to ADSL or cable-modem so dnsmasq allows you to
>> specify which interfaces it will listen on. Use either the interface
>> or address options to do this.
>> If I didn't edit this line, it would also listen on eth0, my internet
>> connection. I personally wouldn't recommend this, as it gives those
>> evil guys a few doors to try to break into.
>> except-interface=<WAN interface name (ethN)>"
>> Peace,
>> Jim Alles

More information about the Dnsmasq-discuss mailing list