I found a recent thread [1] that already treats that problem [2]. Sorry for the noise and going to propose a patch for Neutron.
[1] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q4/thread.html#7707 [2] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q4/007721.html Édouard. On Thu, Dec 5, 2013 at 8:56 AM, Édouard Thuleau <thul...@gmail.com> wrote: > In OpenStack, a dedicated isolated (through network namespaces) port > is created to bind dnsmasq. > My problem is if I create a public network/subnet (like a network > routed on internet or another WAN) with Neutron and activate the IPAM > (DHCP & DNS cache) service on it, other network routed with that > public network can access to my IPAM port and use it as DNS resolver. > And in the case of a network routed on internet, all the word can > access it and could use it as an open DNS and > unwittingly DDOS other machines. > > So my question is 'Can I limit dnsmasq to answer DNS queries only to > clients of the subnet served by dnsmasq or to a defined subnet ?'. > If not, I will add ACL on the dnsmasq port. > > Édouard. > > On Sat, Nov 30, 2013 at 3:34 AM, Jim Alles <kb3...@gmail.com> wrote: >> Édouard Thuleau <thul...@gmail.com> wrote: >> Nov 28 (1 day ago) >> to dnsmasq-discuss >> Hi, >> >> I'm new with dnsmasq and I like to know if we can limit it to answer >> DNS queries only to clients of the subnet served by dnsmasq or to a >> defined subnet ? >> >> Regards, >> Édouard. >> ________________ >> >> Is it not as simple as this? >> >> "One you will probably want to do is tell dnsmasq which ethernet >> interface it can and cannot listen on, as we really don't want it >> listening on the internet. By default dnsmasq offers DNS service on >> all the configured interfaces of a host. It's likely that you don't >> (for instance) want to offer a DNS service to the world via an >> interface connected to ADSL or cable-modem so dnsmasq allows you to >> specify which interfaces it will listen on. Use either the interface >> or address options to do this. >> >> If I didn't edit this line, it would also listen on eth0, my internet >> connection. I personally wouldn't recommend this, as it gives those >> evil guys a few doors to try to break into. >> >> except-interface=<WAN interface name (ethN)>" >> >> Peace, >> >> Jim Alles _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss