Comment 3 for bug 1306646
Revision history for this message
| Robie Basak (racb) wrote Re: [Bug 1306646] Re: dnsmasq provides recursive answers to the Internet by default | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
On Mon, Apr 14, 2014 at 03:02:44PM -0000, Ryan Beisner wrote:
> Aside from this confirmation, a bigger-picture question could be: in
> principle, how is 53 being open and interactive by default any different
> than 80, 22, or 137-139 being open and interactive by default, when
> dnsmasq is not installed by default? If a user chooses to add a
> service, whether that is ssh, samba, apache, dnsmasq, or others, in what
> scenarios are we to protect the user against him/herself? One could
> argue that all of those protocols are subject to abuse. In other words
> - this could be a slippery slope.
I think that a key difference for DNS is that there are multiple common
modes of operation, and for dnsmasq an open recursive server seems to be
an uncommon mode to me. Users may want dnsmasq provision for some
local networking setup (this is common - see lxc and libvirt), or want
to authoritatively serve a zone, and in both of these cases there's no
need to serve recursively to outside requests at all.
And when one does serve recursive queries, it's still considered a
generally bad idea (AIUI) to serve the Internet in general. You'd want
to configure it to serve a limited network instead.
So the difference is where (and if) the default isn't useful in the
majority of cases. This might apply to bind and unbound also, but does
not apply to a public web server where the point of installing it is to
serve pages publicly.
An exception is that for a server that doesn't have a publicly reachable
interface (via RFC1918, or as blocked by a firewall, or whatever), it
might be easier to just answer recursively to all requests, given that
it is separately known that these requests cannot be coming from the
Internet at large. In this case, this kind of default might be useful.
samba is an example of this type of case, as it typically is installed
on an internal network that is already somehow unreachable from the
Internet.
I'm not arguing either way here, just answering your "where do we draw
the line?" question. Perhaps dnsmasq also fits into this latter
category.