ports/188548: Prevent dnsmasq from becoming an open recursive resolver
Jeroen van der Ham
jeroen at 1sand0s.nl
Sun Apr 13 10:10:03 UTC 2014
>Number: 188548
>Category: ports
>Synopsis: Prevent dnsmasq from becoming an open recursive resolver
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun Apr 13 10:10:02 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Jeroen van der Ham
>Release:
>Organization:
>Environment:
>Description:
dnsmasq has been updated to version 2.69 recently to include DNSSEC support, but also has a new flag --local-service. This flag changes the behaviour of the DNS resolver part of dnsmasq so that it only answers to queries made from the same subnet as it is in. Previous versions of dnsmasq were configured by default to respond to any dns query, making it an easy target to use in DDoS attacks.
So please enable the --local-service flag by default?
>How-To-Repeat:
>Fix:
Set the default configuration to use the --local-service flag by default.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list