* Simon Kelley [Thu Dec 19, 2013 at 04:10:10PM +0000]: > On 19/12/13 10:51, Michael Prokop wrote:
> >I've been involved in two situations already where a default dnsmasq > >installation was misused for DDoS nameserver attacks, because > >dnsmasq is listening on all network devices without any real > >limitations by default. > >Something like: > >% cat /etc/dnsmasq.d/loopback.conf > >interface=lo > >no-dhcp-interface= > >bind-interfaces > >listen-address=127.0.0.1 > >mitigates this problem for systems where dnsmasq is used e.g. only > >for chroots on the local system. I'm not sure if listening on > >loopback-only is what users of dnsmasq would expect though. But > >maybe there could be an according notice about the possible risks > >and how to bind it to loopback-only in README.Debian or so if > >dnsmasq continues to listen on all interfaces by default? > I'm very tempted to do something like this (though just > "interface=lo" should be more than sufficient). AFAICS it needs at least "interface=lo" *and* "bind-interfaces". > The problem is that it will gratuitously break _lots_ of existing > installations on upgrade. > Hmm, can I find anough packaging-foo to arrange for this on _new_ > installations, but not on upgrades? Good question. :-/ > Whatever, I'll add a warning to the docs. Thanks! regards, -mika-
signature.asc
Description: Digital signature
