Comment 2 for bug 1306646

Curiosity fueled a couple of tests on this. In checking 2 common scenarios, at least one use case confirms.

Aside from this confirmation, a bigger-picture question could be: in principle, how is 53 being open and interactive by default any different than 80, 22, or 137-139 being open and interactive by default, when dnsmasq is not installed by default? If a user chooses to add a service, whether that is ssh, samba, apache, dnsmasq, or others, in what scenarios are we to protect the user against him/herself? One could argue that all of those protocols are subject to abuse. In other words - this could be a slippery slope.

Having said that little devil's advocate bit, I am *all for* making sure our default behavior is to not have an open recursive DNS server.

Here's what I found:

[test0]: Trusty default server install + "Virtual Machine Host" package selection (ok)
[test1]: Trusty default server install + install dnsmasq (CONFIRMS open recursive DNS condition)

##### [test0] #####
Trusty default server install + "Virtual Machine Host" package selection

* This method does not result in an open recursive DNS server.

* The default ip interface layout follows; eth0 is connected and has obtained an address via dhcp; libvirt has created virbr0 interface, and dnsmasq is listening only on the virbr0 interface (192.168.122.1).

rbeisner@isotest0:~$ sudo ip addr | grep gl
    inet 10.4.5.132/24 brd 10.4.5.255 scope global eth0
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0

rbeisner@isotest0:~$ sudo netstat -taupn | egrep ':22|:53'
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1148/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 852/sshd
tcp6 0 0 :::22 :::* LISTEN 852/sshd
udp 0 0 192.168.122.1:53 0.0.0.0:* 1148/dnsmasq

* The default iptables firewall rules for this use case follow; Destination ports 53 tcp & udp are explicitly allowed in the virbr0 interface. DNS ports are not disallowed anywhere, and there isn't a default drop or reject rule in the input chain. But because dnsmasq is only bound to the virbr0 interface, it should not be accessible on any other interface, even if all iptables rules are flushed.

beisner@isotest0:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 19526 packets, 29M bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
    0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
    0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
    0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
    0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
    0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
    0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
    0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 10169 packets, 592K bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68

* Flush iptables, all traffic allowed:

rbeisner@isotest0:~$ sudo iptables -F
rbeisner@isotest0:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 39 packets, 2712 bytes)
 pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 20 packets, 1792 bytes)
 pkts bytes target prot opt in out source destination

* Port scans from a neighboring node confirm that tcp and udp 53 are closed on the world-facing interface:

rbeisner@bcu:~$ sudo nmap -sU -p 53 10.4.5.132 | grep 53
53/udp closed domain

rbeisner@bcu:~$ sudo nmap -sT -p 53 10.4.5.132 | grep 53
53/tcp closed domain

rbeisner@bcu:~$ sudo nmap -sT -p 22 10.4.5.132 | grep 22
22/tcp open ssh
...

##### [test1] #####
Trusty default server install + install dnsmasq (CONFIRMS open recursive DNS condition)

* CONFIRMS the default condition to be an open recursive DNS server /!\.

* DNS query from a neighboring host succeeds:
rbeisner@isotest0:~$ dig @10.4.5.143 thekelleys.org.uk +short
213.138.109.107

* Port scans from a neighboring node confirm that tcp and udp 53 are open on the world-facing interface:

rbeisner@isotest0:~$ sudo nmap -sU -p 53 10.4.5.143 | grep 53
53/udp open domain

rbeisner@isotest0:~$ sudo nmap -sT -p 53 10.4.5.143 | grep 53
53/tcp open domain

* dnsmasq is listening on all ip interfaces, also iptables isn't restricting it:

rbeisner@isotest1:~$ sudo netstat -taupn | egrep ':22|:53'
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 2581/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2142/sshd
tcp6 0 0 :::53 :::* LISTEN 2581/dnsmasq
tcp6 0 0 :::22 :::* LISTEN 2142/sshd
udp 0 0 0.0.0.0:53 0.0.0.0:* 2581/dnsmasq
udp6 0 0 :::53 :::* 2581/dnsmasq

rbeisner@isotest1:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 30200 packets, 42M bytes)
 pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 15576 packets, 1024K bytes)
 pkts bytes target prot opt in out source destination