dnsmasq provides recursive answers to the Internet by default

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Looks like 2.69 was released on 9 April. We have been in feature freeze for Trusty since 20 Februrary, and final freeze was yesterday, so I don't think that we'll be able to do this in time for Trusty. But as there is a security element here, I've asked a member of the security team for input.

I see that 2.69 has been uploaded to Debian unstable and includes use of --local-service by default, so this should get automatically synced to Ubuntu in time for the next release.

Curiosity fueled a couple of tests on this. In checking 2 common scenarios, at least one use case confirms.

Aside from this confirmation, a bigger-picture question could be: in principle, how is 53 being open and interactive by default any different than 80, 22, or 137-139 being open and interactive by default, when dnsmasq is not installed by default? If a user chooses to add a service, whether that is ssh, samba, apache, dnsmasq, or others, in what scenarios are we to protect the user against him/herself? One could argue that all of those protocols are subject to abuse. In other words - this could be a slippery slope.

Having said that little devil's advocate bit, I am *all for* making sure our default behavior is to not have an open recursive DNS server.

Here's what I found:

[test0]: Trusty default server install + "Virtual Machine Host" package selection (ok)
[test1]: Trusty default server install + install dnsmasq (CONFIRMS open recursive DNS condition)

##### [test0] #####
Trusty default server install + "Virtual Machine Host" package selection

* This method does not result in an open recursive DNS server.

* The default ip interface layout follows; eth0 is connected and has obtained an address via dhcp; libvirt has created virbr0 interface, and dnsmasq is listening only on the virbr0 interface (192.168.122.1).

rbeisner@isotest0:~$ sudo ip addr | grep gl
    inet 10.4.5.132/24 brd 10.4.5.255 scope global eth0
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0

rbeisner@isotest0:~$ sudo netstat -taupn | egrep ':22|:53'
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1148/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 852/sshd
tcp6 0 0 :::22 :::* LISTEN 852/sshd
udp 0 0 192.168.122.1:53 0.0.0.0:* 1148/dnsmasq

* The default iptables firewall rules for this use case follow; Destination ports 53 tcp & udp are explicitly allowed in the virbr0 interface. DNS ports are not disallowed anywhere, and there isn't a default drop or reject rule in the input chain. But because dnsmasq is only bound to the virbr0 interface, it should not be accessible on any other interface, even if all iptables rules are flushed.

beisner@isotest0:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 19526 packets, 29M bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
    0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
    0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
    0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTAB...

On Mon, Apr 14, 2014 at 03:02:44PM -0000, Ryan Beisner wrote:
> Aside from this confirmation, a bigger-picture question could be: in
> principle, how is 53 being open and interactive by default any different
> than 80, 22, or 137-139 being open and interactive by default, when
> dnsmasq is not installed by default? If a user chooses to add a
> service, whether that is ssh, samba, apache, dnsmasq, or others, in what
> scenarios are we to protect the user against him/herself? One could
> argue that all of those protocols are subject to abuse. In other words
> - this could be a slippery slope.

I think that a key difference for DNS is that there are multiple common
modes of operation, and for dnsmasq an open recursive server seems to be
an uncommon mode to me. Users may want dnsmasq provision for some
local networking setup (this is common - see lxc and libvirt), or want
to authoritatively serve a zone, and in both of these cases there's no
need to serve recursively to outside requests at all.

And when one does serve recursive queries, it's still considered a
generally bad idea (AIUI) to serve the Internet in general. You'd want
to configure it to serve a limited network instead.

So the difference is where (and if) the default isn't useful in the
majority of cases. This might apply to bind and unbound also, but does
not apply to a public web server where the point of installing it is to
serve pages publicly.

An exception is that for a server that doesn't have a publicly reachable
interface (via RFC1918, or as blocked by a firewall, or whatever), it
might be easier to just answer recursively to all requests, given that
it is separately known that these requests cannot be coming from the
Internet at large. In this case, this kind of default might be useful.
samba is an example of this type of case, as it typically is installed
on an internal network that is already somehow unreachable from the
Internet.

I'm not arguing either way here, just answering your "where do we draw
the line?" question. Perhaps dnsmasq also fits into this latter
category.

Yep, I'm with ya Robie.

I completely agree that it is difficult and hard to draw the line. My initial approach was to convince the author to change the default behaviour, but unfortunately I did not succeed with that.

Serving DNS requests to only the intended audience is a better alternative. This has been the intended approach of other bug reports, but it is actually very hard to determine from outside of the daemon. Since dnsmasq also usually has the role of DHCP provider, and also has to know about which interfaces it servers on, it is in the perfect position to know about the intended audience. This argument finally won over the author to at least implement the option.

Since I've personally seen dozens of reports of exploited dnsmasq instances, and even experts who overlooked its role in installs, I'm now trying to convince all package maintainers to use the --local-service option by default.

I think you're right, and I think that is indeed the place to do it. I've seen other people, on similar topics, debate 'the line.' This very discussion will be valuable in this change because it shows that we are assessing that aspect. Thanks again for filing this.

On Mon, Apr 14, 2014 at 08:39:01PM -0000, Jeroen van der Ham wrote:

[...]

> ...I'm now
> trying to convince all package maintainers to use the --local-service
> option by default.

AIUI, you've effectively convinced Ubuntu, by virtue of having convinced
Debian. But this change didn't make Trusty, since the upstream
--local-service feature hadn't filtered down. I think it probably will
be in by the next release.