dnsmasq provides recursive answers to the Internet by default
Bug #1306646 reported by
Jeroen van der Ham
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dnsmasq (Debian) |
Fix Released
|
Unknown
|
|||
dnsmasq (Ubuntu) |
Triaged
|
High
|
Unassigned |
Bug Description
The default configuration of dnsmasq creates an open recursive name server, meaning that from anywhere on the Internet a request can be sent to dnsmasq. This is problematic as UDP packets can be spoofed and DNS has a high amplification factor, which makes it a ready tool for DDoS attacks.
The latest release of dnsmasq (v2.69) includes the option "--local-service", which restricts the recursive answers to the local subnet. Please make this option default for regular installs.
Changed in dnsmasq (Debian): | |
status: | Unknown → Fix Released |
To post a comment you must log in.
Thank you for taking the time to report this bug and helping to make Ubuntu better.
Looks like 2.69 was released on 9 April. We have been in feature freeze for Trusty since 20 Februrary, and final freeze was yesterday, so I don't think that we'll be able to do this in time for Trusty. But as there is a security element here, I've asked a member of the security team for input.
I see that 2.69 has been uploaded to Debian unstable and includes use of --local-service by default, so this should get automatically synced to Ubuntu in time for the next release.