I completely agree that it is difficult and hard to draw the line. My initial approach was to convince the author to change the default behaviour, but unfortunately I did not succeed with that.
Serving DNS requests to only the intended audience is a better alternative. This has been the intended approach of other bug reports, but it is actually very hard to determine from outside of the daemon. Since dnsmasq also usually has the role of DHCP provider, and also has to know about which interfaces it servers on, it is in the perfect position to know about the intended audience. This argument finally won over the author to at least implement the option. Since I've personally seen dozens of reports of exploited dnsmasq instances, and even experts who overlooked its role in installs, I'm now trying to convince all package maintainers to use the --local-service option by default. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1306646 Title: dnsmasq provides recursive answers to the Internet by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1306646/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
