Date: Sun, 13 Apr 2014 10:01:23 GMT From: Jeroen van der Ham <jeroen@1sand0s.nl> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/188548: Prevent dnsmasq from becoming an open recursive resolver Message-ID: <201404131001.s3DA1N6E021019@cgiserv.freebsd.org> Resent-Message-ID: <201404131010.s3DAA28d093630@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 188548 >Category: ports >Synopsis: Prevent dnsmasq from becoming an open recursive resolver >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sun Apr 13 10:10:02 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Jeroen van der Ham >Release: >Organization: >Environment: >Description: dnsmasq has been updated to version 2.69 recently to include DNSSEC support, but also has a new flag --local-service. This flag changes the behaviour of the DNS resolver part of dnsmasq so that it only answers to queries made from the same subnet as it is in. Previous versions of dnsmasq were configured by default to respond to any dns query, making it an easy target to use in DDoS attacks. So please enable the --local-service flag by default? >How-To-Repeat: >Fix: Set the default configuration to use the --local-service flag by default. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404131001.s3DA1N6E021019>