188548 – Prevent dns/dnsmasq from becoming an open recursive resolver

Bug 188548 - Prevent dns/dnsmasq from becoming an open recursive resolver

Summary: Prevent dns/dnsmasq from becoming an open recursive resolver

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	Matthias Andree

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-13 11:10 UTC by Jeroen van der Ham
Modified:	2014-04-15 18:50 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeroen van der Ham 2014-04-13 11:10:02 UTC

dnsmasq has been updated to version 2.69 recently to include DNSSEC support, but also has a new flag  --local-service. This flag changes the behaviour of the DNS resolver part of dnsmasq so that it only answers to queries made from the same subnet as it is in. Previous versions of dnsmasq were configured by default to respond to any dns query, making it an easy target to use in DDoS attacks.

So please enable the  --local-service flag by default?

Fix: 

Set the default configuration to use the  --local-service flag by default.

Comment 1 Edwin Groothuis freebsd_committer

2014-04-13 11:47:23 UTC

Responsible Changed
From-To: freebsd-ports-bugs->mandree

Over to maintainer (via the GNATS Auto Assign Tool)

Comment 2 dfilter service freebsd_committer

2014-04-15 18:40:49 UTC

Author: mandree
Date: Tue Apr 15 17:40:46 2014
New Revision: 351356
URL: http://svnweb.freebsd.org/changeset/ports/351356
QAT: https://qat.redports.org/buildarchive/r351356/

Log:
  Propose local-service option in default .example configuration.
  
  PR:		ports/188548
  Submitted by:	Jeroen van der Ham <jeroen@1sand0s.nl>

Added:
  head/dns/dnsmasq/files/patch-dnsmasq.conf.example   (contents, props changed)
Modified:
  head/dns/dnsmasq/Makefile

Modified: head/dns/dnsmasq/Makefile
==============================================================================
--- head/dns/dnsmasq/Makefile	Tue Apr 15 17:33:02 2014	(r351355)
+++ head/dns/dnsmasq/Makefile	Tue Apr 15 17:40:46 2014	(r351356)
@@ -4,6 +4,7 @@
 PORTNAME=	dnsmasq
 DISTVERSION=	2.69
 PORTEPOCH=	1
+PORTREVISION=	1
 CATEGORIES=	dns ipv6
 MASTER_SITES=	http://www.thekelleys.org.uk/dnsmasq/ \
 		LOCAL/mandree/

Added: head/dns/dnsmasq/files/patch-dnsmasq.conf.example
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/dns/dnsmasq/files/patch-dnsmasq.conf.example	Tue Apr 15 17:40:46 2014	(r351356)
@@ -0,0 +1,15 @@
+--- ./dnsmasq.conf.example.orig	2014-04-09 21:36:53.000000000 +0200
++++ ./dnsmasq.conf.example	2014-04-15 19:32:54.000000000 +0200
+@@ -123,6 +123,12 @@
+ # running another nameserver on the same machine.
+ #bind-interfaces
+ 
++# Accept DNS queries only from hosts whose address is on a local
++# subnet, ie a subnet for which an interface exists on the server.
++# This option only has effect if there are no --interface
++# --except-interface, --listen-address or --auth-server options.
++local-service
++
+ # If you don't want dnsmasq to read /etc/hosts, uncomment the
+ # following line.
+ #no-hosts
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"

Comment 3 Matthias Andree freebsd_committer

2014-04-15 18:41:10 UTC

State Changed
From-To: open->closed

Committed. Thanks!