[Dnsmasq-discuss] Recursive DNS on dnsmasq

[Albert ARIBAUD]

Le 25/02/2014 18:36, Jeroen van der Ham a écrit :
> Hi,
>
> On 25 Feb 2014, at 17:04, Albert ARIBAUD <albert.aribaud at free.fr>
> wrote:
>> It is possible, however I think it is not the province of dnsmasq
>> itself, but of packagers who integrate dnsmasq in distributions --
>> and of system admins, who can and should go beyond simply
>> installing the package.
>
> The problem is that dnsmasq is now increasingly being used on systems
> where you have less than clueful system administrators. You see now
> that OpenWRT includes it in their system, but also newer versions of
> Ubuntu come with it installed by default.

Yes, they do; I am running one actually right now, and its dnsmasq 
configuration is safe since it only listens on 127.0.0.1 and therefore 
won't answer as an open DNS -- that's what I meant by 'this is the 
province of packagers who integrate dnsmasq'.

I can't vouch for OpenWRT, though.

> dnsmasq serves as a DHCP and DNS server, so it should really know for
> who it should serve recursive queries, right?

Hmm, no. DHCP is not tightly linked to DNS. Hosts can perfectly run in a 
network without doing any DHCP but still use DNS; and conversively, a 
host mught use DHCP from dnsmasq but run its own DNS for various reasons.

>> Personally, I have configured not only dnsmasq but also iptables
>> and ip6tables so that my local dnsmasq does not serve as an open
>> DNS.
>
> I assume a secure by default configuration for almost everything I
> install.

I prefer checking rather than assuming :) but yes, the default 
configuration should be secure; however the default configuration for 
any package will differ from distro to distro, and is usually reviewed 
and safe.

At most, one might want dnsmasq to behave as safely as possible without 
any configuration at all, but then, it won't have an upstream server 
configured, so it won't be able to resolve at all, and would thus be a 
poor open NS.

> Jeroen.

Amicalement,
-- 
Albert.