Bug 188548

Summary: Prevent dns/dnsmasq from becoming an open recursive resolver
Product: Ports & Packages Reporter: Jeroen van der Ham <jeroen>
Component: Individual Port(s)Assignee: Matthias Andree <mandree>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Jeroen van der Ham 2014-04-13 11:10:02 UTC 
dnsmasq has been updated to version 2.69 recently to include DNSSEC support, but also has a new flag  --local-service. This flag changes the behaviour of the DNS resolver part of dnsmasq so that it only answers to queries made from the same subnet as it is in. Previous versions of dnsmasq were configured by default to respond to any dns query, making it an easy target to use in DDoS attacks.

So please enable the  --local-service flag by default?

Fix: 

Set the default configuration to use the  --local-service flag by default.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2014-04-13 11:47:23 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->mandree

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter service freebsd_committer freebsd_triage 2014-04-15 18:40:49 UTC 
Author: mandree
Date: Tue Apr 15 17:40:46 2014
New Revision: 351356
URL: http://svnweb.freebsd.org/changeset/ports/351356
QAT: https://qat.redports.org/buildarchive/r351356/

Log:
  Propose local-service option in default .example configuration.
  
  PR:		ports/188548
  Submitted by:	Jeroen van der Ham <jeroen@1sand0s.nl>

Added:
  head/dns/dnsmasq/files/patch-dnsmasq.conf.example   (contents, props changed)
Modified:
  head/dns/dnsmasq/Makefile

Modified: head/dns/dnsmasq/Makefile
==============================================================================
--- head/dns/dnsmasq/Makefile	Tue Apr 15 17:33:02 2014	(r351355)
+++ head/dns/dnsmasq/Makefile	Tue Apr 15 17:40:46 2014	(r351356)
@@ -4,6 +4,7 @@
 PORTNAME=	dnsmasq
 DISTVERSION=	2.69
 PORTEPOCH=	1
+PORTREVISION=	1
 CATEGORIES=	dns ipv6
 MASTER_SITES=	http://www.thekelleys.org.uk/dnsmasq/ \
 		LOCAL/mandree/

Added: head/dns/dnsmasq/files/patch-dnsmasq.conf.example
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/dns/dnsmasq/files/patch-dnsmasq.conf.example	Tue Apr 15 17:40:46 2014	(r351356)
@@ -0,0 +1,15 @@
+--- ./dnsmasq.conf.example.orig	2014-04-09 21:36:53.000000000 +0200
++++ ./dnsmasq.conf.example	2014-04-15 19:32:54.000000000 +0200
+@@ -123,6 +123,12 @@
+ # running another nameserver on the same machine.
+ #bind-interfaces
+ 
++# Accept DNS queries only from hosts whose address is on a local
++# subnet, ie a subnet for which an interface exists on the server.
++# This option only has effect if there are no --interface
++# --except-interface, --listen-address or --auth-server options.
++local-service
++
+ # If you don't want dnsmasq to read /etc/hosts, uncomment the
+ # following line.
+ #no-hosts
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 3 Matthias Andree freebsd_committer freebsd_triage 2014-04-15 18:41:10 UTC 
State Changed
From-To: open->closed

Committed. Thanks!