Currently any dhcp agent instance will work as an open resolver. For
deployments using publicly routed addresses for tenant networks, this
allows the agent being abused in dDoS attacks, see [1].
By setting the `--local-service` option dnsmasq will filter DNS queries
and reply only to queries from directly attached networks.
Reviewed: https:/ /review. openstack. org/633211 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=72d9c3ccb34 f5c5abb8de0b32d 4ef1660b9f502f
Committed: https:/
Submitter: Zuul
Branch: stable/pike
commit 72d9c3ccb34f5c5 abb8de0b32d4ef1 660b9f502f
Author: Jens Harbott <email address hidden>
Date: Mon Oct 29 17:08:33 2018 +0000
Secure dnsmasq process against external abuse
Currently any dhcp agent instance will work as an open resolver. For
deployments using publicly routed addresses for tenant networks, this
allows the agent being abused in dDoS attacks, see [1].
By setting the `--local-service` option dnsmasq will filter DNS queries
and reply only to queries from directly attached networks.
[1] https:/ /bugs.launchpad .net/neutron/ +bug/1501206
Conflicts:
neutron/ cmd/sanity_ check.py
Closes-Bug: 1501206 15a88bd79896301 2fa0efca74e cfb8327a86d7225 e2c3972263)
Change-Id: I76d810aad2ce0f
(cherry picked from commit 0fce3ca2c1641fb