IMO instead of setting up some complicated filtering, the proper solution would be to run dnsmasq with the option
--local-service
Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. This option only has effect is there are no --interface --except-interface, --listen-address or --auth-server options. It is intended to be set as a default on installation, to allow unconfigured installations to be useful but also safe from being used for DNS amplification attacks.
The only issue here is that currently started with a lot of --interfaces and --exclude-interfaces options, that result in the above option being ignored. At least in my enviroment, though, all of these options are redundant and I can replace them with --local-service and get the bug fixed.
IMO instead of setting up some complicated filtering, the proper solution would be to run dnsmasq with the option
--local-service
Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. This option only has effect is there are no --interface --except-interface, --listen-address or --auth-server options. It is intended to be set as a default on installation, to allow unconfigured installations to be useful but also safe from being used for DNS amplification attacks.
(see http:// www.thekelleys. org.uk/ dnsmasq/ docs/dnsmasq- man.html)
The only issue here is that currently started with a lot of --interfaces and --exclude- interfaces options, that result in the above option being ignored. At least in my enviroment, though, all of these options are redundant and I can replace them with --local-service and get the bug fixed.