[Dnsmasq-discuss] [PATCH] Introduce local-service=host specialization
Simon Kelley
simon at thekelleys.org.uk
Sun Dec 3 18:29:59 UTC 2023
Looks sensible to me. Very much in the spirit of the original
--local-service option flag.
I'm minded to commit this unless anyone has an objection.
Simon.
On 30/11/2023 17:59, Petr Menšík wrote:
> Hello!
>
> I have sent similar proposal already in year 2021 [1]. But I have
> reworked that a bit to reuse existing --local-service option and just
> add new parameter to it. If --local-service=host is used, dnsmasq will
> bind to addresses on lo interface only. It will not even open port on
> other interfaces, preventing possible scanning of running service from
> outside.
>
> It roughly becomes similar default like other resolvers without
> configuration use. BIND9 or unbound will listen also on localhost only.
>
> To avoid regressions, it still becomes inactive when any --interface,
> --listen-address or similar is specified at least once. Then you have to
> explicitly use --interface=lo to listen *also* on localhost.
>
> The change is related to Fedora bug #1852373 [2], also newly re-opened
> CVE-2020-14312 issue for RHEL8 [3]. Having explicitly specified
> bind-interfaces & interface=lo in dnsmasq default configuration has
> resulted in multiple regressions across different packages, which did
> not rewrite distribution provided configuration. I think it could be
> useful also for others.
>
> What do you think?
>
> Looking for any feedback!
>
> Regards,
> Petr
>
> 1.
> https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q4/015749.html
> 2. https://bugzilla.redhat.com/show_bug.cgi?id=1852373
> 3. https://issues.redhat.com/browse/RHEL-9516
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
More information about the Dnsmasq-discuss
mailing list