[Dnsmasq-discuss] dnsmasq to provide public DNS service

Mon Jul 4 14:05:35 BST 2016

On Mon, 04 Jul 2016 10:56:05 +0200, Albert ARIBAUD wrote:

>> >> The machine from which I run dig gets its DNS servers is the one
>> >> that I tweaked the /etc/dnsmasq.d/public.conf file, by doing which
>> >> my DNS breaks. And on removing the file, my DNS service (servered by
>> >> local dnsmasq) works again.
>> >> 
>> >> And, yes, basically I'm creating an open DNS server, and since
>> >> nobody is doing that, I can't find any information on how to set it
>> >> up properly.
>> > 
>> > Nobody should do that indeed, because it is a very bad idea: your
>> > machine may then serve as an amplifier for DDoS attacks.
>> 
>> I'm more interested to know how to do that than actually provide the
>> DNS service. BTW, on to that thought, how the ISP or Google's DNS
>> server able to avoid being an amplifier for DDoS attacks?
> 
> They have DDoS mitigation machines between their DNS servers and the
> rest of the world, which watch traffic and curb / cut it when they
> detect abnormal traffic, e.g. sudden heavy traffic to one (set of)
> destination(s).

Thanks,

>> > Still, the configuration -- as far as dnsmasq is concerned -- is the
>> > same for an open DNS and a LAN DNS.
>> > 
>> > Could you please describe your setup from a network perspective ?
>> 
>> I don't quite understand what you are asking. Consider it is my own box
>> behind my ISP. How this network setup has anything to do with the
>> question?
> 
> Basically, my question boils down to two questions: is dnsmasq using
> external DNS servers as upstreams, or does it use a local recursive
> server such as bind or unbound? Also, do you test your dnsmasq with
> another host on the LAN, or from the same machine that hosts dnsmasq?
> 
>> Ideally, I just want to use a file, say /etc/dnsmasq.d/public.conf, to
>> turn it on. Then, I can easily turn it off by removing the file. It's
>> not just I'm broadcasting to the world that I have this. It's for my
>> own personal usage.
> 
> Lots of people use dnsmasq for serving their LAN, myself included, so
> that works pretty much out-of-the-box if you just make dnsmasq listen to
> the LAN interface of the host running it.
> 
> Providing worldwide access is then not a dnsmasq question, but a
> LAN-to-Internet routing question.

OK. that explains why when I changed mine from 192.168.1.1 of the 
following to 0.0.0.0 and it stops working:

    $ cat /etc/dnsmasq.d/public.conf
    # listen to public
    listen-address=0.0.0.0
    # provide only DNS service and disable DHCP and TFTP on it
    no-dhcp-interface=eth0

So, it confirms that dnsmasq only works for LAN, but not for the public. 

> As I'm still not sure how much open you want your dnsmasq to be, I'm
> asking explicitly: do you want your dnsmasq to serve DNS queries from
> your LAN only, or from anywhere in the world?

Yep, beyond the LAN, for anywhere in the world, as I said in my OP,
"I'm to provide DNS service to the public (outside my local network)".

>> Had I been able to do it myself, there won't be a public
>> discussion/announcement of it. I.e., nobody would have known.
> 
> As an aside: never rely on "people not knowing". Security by obscurity
> is arguably worse than no security at all, as you /believe/ you have
> some security which you actually don't have. Take my word for it: if you
> "secretly" leave your dnsmasq open to the world, it /will/ be used,
> and by people who are interested in taking advantage of the resource.

OK. Noted. I'll turn it off as soon as I'm done then. 