Package: dnsmasq Version: 2.68-1 Severity: normal
I've been involved in two situations already where a default dnsmasq installation was misused for DDoS nameserver attacks, because dnsmasq is listening on all network devices without any real limitations by default. Something like: % cat /etc/dnsmasq.d/loopback.conf interface=lo no-dhcp-interface= bind-interfaces listen-address=127.0.0.1 mitigates this problem for systems where dnsmasq is used e.g. only for chroots on the local system. I'm not sure if listening on loopback-only is what users of dnsmasq would expect though. But maybe there could be an according notice about the possible risks and how to bind it to loopback-only in README.Debian or so if dnsmasq continues to listen on all interfaces by default? regards, -mika- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2013-12-19t11-33...@devnull.michael-prokop.at