On Mon, Apr 14, 2014 at 03:02:44PM -0000, Ryan Beisner wrote: > Aside from this confirmation, a bigger-picture question could be: in > principle, how is 53 being open and interactive by default any different > than 80, 22, or 137-139 being open and interactive by default, when > dnsmasq is not installed by default? If a user chooses to add a > service, whether that is ssh, samba, apache, dnsmasq, or others, in what > scenarios are we to protect the user against him/herself? One could > argue that all of those protocols are subject to abuse. In other words > - this could be a slippery slope.
I think that a key difference for DNS is that there are multiple common modes of operation, and for dnsmasq an open recursive server seems to be an uncommon mode to me. Users may want dnsmasq provision for some local networking setup (this is common - see lxc and libvirt), or want to authoritatively serve a zone, and in both of these cases there's no need to serve recursively to outside requests at all. And when one does serve recursive queries, it's still considered a generally bad idea (AIUI) to serve the Internet in general. You'd want to configure it to serve a limited network instead. So the difference is where (and if) the default isn't useful in the majority of cases. This might apply to bind and unbound also, but does not apply to a public web server where the point of installing it is to serve pages publicly. An exception is that for a server that doesn't have a publicly reachable interface (via RFC1918, or as blocked by a firewall, or whatever), it might be easier to just answer recursively to all requests, given that it is separately known that these requests cannot be coming from the Internet at large. In this case, this kind of default might be useful. samba is an example of this type of case, as it typically is installed on an internal network that is already somehow unreachable from the Internet. I'm not arguing either way here, just answering your "where do we draw the line?" question. Perhaps dnsmasq also fits into this latter category. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1306646 Title: dnsmasq provides recursive answers to the Internet by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1306646/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs