On 19/12/13 10:51, Michael Prokop wrote:
Package: dnsmasq
Version: 2.68-1
Severity: normal
I've been involved in two situations already where a default dnsmasq
installation was misused for DDoS nameserver attacks, because
dnsmasq is listening on all network devices without any real
limitations by default.
Something like:
% cat /etc/dnsmasq.d/loopback.conf
interface=lo
no-dhcp-interface=
bind-interfaces
listen-address=127.0.0.1
mitigates this problem for systems where dnsmasq is used e.g. only
for chroots on the local system. I'm not sure if listening on
loopback-only is what users of dnsmasq would expect though. But
maybe there could be an according notice about the possible risks
and how to bind it to loopback-only in README.Debian or so if
dnsmasq continues to listen on all interfaces by default?
I'm very tempted to do something like this (though just "interface=lo"
should be more than sufficient). The problem is that it will
gratuitously break _lots_ of existing installations on upgrade.
Hmm, can I find anough packaging-foo to arrange for this on _new_
installations, but not on upgrades?
Whatever, I'll add a warning to the docs.
Cheers,
Simon.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
