[Dnsmasq-discuss] dnsmasq to provide public DNS service

Albert ARIBAUD albert.aribaud at free.fr
Mon Jul 4 09:56:05 BST 2016

Hi Tong,

Le Sun, 3 Jul 2016 22:40:05 +0000 (UTC)
T o n g <mlist4suntong at yahoo.com> a écrit:

> On Sat, 02 Jul 2016 21:27:11 +0200, Albert ARIBAUD wrote:
> >> The machine from which I run dig gets its DNS servers is the one
> >> that I tweaked the /etc/dnsmasq.d/public.conf file, by doing which
> >> my DNS breaks. And on removing the file, my DNS service (servered
> >> by local dnsmasq) works again.
> >> 
> >> And, yes, basically I'm creating an open DNS server, and since
> >> nobody is doing that, I can't find any information on how to set
> >> it up properly.  
> > 
> > Nobody should do that indeed, because it is a very bad idea: your
> > machine may then serve as an amplifier for DDoS attacks.  
> I'm more interested to know how to do that than actually provide the
> DNS service. BTW, on to that thought, how the ISP or Google's DNS
> server able to avoid being an amplifier for DDoS attacks?

They have DDoS mitigation machines between their DNS servers and the
rest of the world, which watch traffic and curb / cut it when they
detect abnormal traffic, e.g. sudden heavy traffic to one (set of)
> > Still, the configuration -- as far as dnsmasq is concerned -- is the
> > same for an open DNS and a LAN DNS.
> > 
> > Could you please describe your setup from a network perspective ?  
> I don't quite understand what you are asking. Consider it is my own
> box behind my ISP. How this network setup has anything to do with the 
> question? 

Basically, my question boils down to two questions: is dnsmasq using
external DNS servers as upstreams, or does it use a local recursive
server such as bind or unbound? Also, do you test your dnsmasq with
another host on the LAN, or from the same machine that hosts dnsmasq?

> Ideally, I just want to use a file, say /etc/dnsmasq.d/public.conf,
> to turn it on. Then, I can easily turn it off by removing the file.
> It's not just I'm broadcasting to the world that I have this. It's
> for my own personal usage.

Lots of people use dnsmasq for serving their LAN, myself included, so
that works pretty much out-of-the-box if you just make dnsmasq listen
to the LAN interface of the host running it.

Providing worldwide access is then not a dnsmasq question, but a
LAN-to-Internet routing question.

As I'm still not sure how much open you want your dnsmasq to be, I'm
asking explicitly: do you want your dnsmasq to serve DNS queries from
your LAN only, or from anywhere in the world?

> Had I been able to do it myself, there
> won't be a public discussion/announcement of it. I.e., nobody would
> have known. 

As an aside: never rely on "people not knowing". Security by obscurity
is arguably worse than no security at all, as you /believe/ you have
some security which you actually don't have. Take my word for it: if
you "secretly" leave your dnsmasq open to the world, it /will/ be used,
and by people who are interested in taking advantage of the resource.


More information about the Dnsmasq-discuss mailing list