#17964: dnsmasq answering requests on public interfaces
---------------------------------------+-----------------------------------
Reporter: anonymous | Owner: developers
Type: defect | Status: new
Priority: highest | Milestone:
Component: base system | Version: Barrier Breaker 14.07
Keywords: dns amplification attacks |
---------------------------------------+-----------------------------------
OpenWRTs default settings for dnsmasq could allow an attacker to perform
recursive dns requests on wan interfaces for dnsmasq will answer wildcard
requests.
Why is this a hazard?
http://www.watchguard.com/infocenter/editorial/41649.asp
It would be advisable to make the result of the following commands a
default:
uci set dhcp.@dnsmasq[0].wildcard=0
uci set dhcp.@dnsmasq[0].interface=lan
uci commit
For most home router environments the setting will be sufficient.
Experts, who are developing more complex configuration will know how to
use additional interfaces.
As a matter of fact lUCi does not currently respect wildcard, notinterface
or interface.
Another solution could be to block incoming tcp and udp request on port 53
on external IPs by a default rule. This solution is not advisable, since
it is only working while the firewall script is up.
--
Ticket URL: <https://dev.openwrt.org/ticket/17964>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
